Windows Analysis Report
msoia.exe

Overview

General Information

Sample name: msoia.exe
Analysis ID: 1541453
MD5: 42cbc8f4803da0f2b8bbd3d13a37fc58
SHA1: c82f1ba623b5f4210ddf7f20c40d4cec70298d92
SHA256: fcf9b70253437c56bb00315da859ce8e40d6410ec405c1473b374359d5277209
Tags: exeuser-N3utralZ0ne
Infos:

Detection

Spark RAT
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Suricata IDS alerts for network traffic
Yara detected Spark RAT
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Potentially Suspicious Malware Callback Communication
Tries to detect debuggers (CloseHandle check)
Tries to evade analysis by execution special instruction (VM detection)
Uses known network protocols on non-standard ports
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Entry point lies outside standard sections
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: msoia.exe Joe Sandbox ML: detected
Source: msoia.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2047681 - Severity 1 - ET MALWARE Spark RAT CnC Checkin (POST) : 192.168.2.4:49732 -> 67.217.62.106:4443
Source: Network traffic Suricata IDS: 2046669 - Severity 1 - ET MALWARE Win32/SparkRAT CnC Checkin (GET) : 192.168.2.4:49730 -> 67.217.62.106:4443
Source: Network traffic Suricata IDS: 2855151 - Severity 1 - ETPRO MALWARE Spark RAT User-Agent Observed : 192.168.2.4:49732 -> 67.217.62.106:4443
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 4443
Source: unknown Network traffic detected: HTTP traffic on port 4443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 4443
Source: unknown Network traffic detected: HTTP traffic on port 4443 -> 49732
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 67.217.62.106:4443
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 67.217.62.106 67.217.62.106
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: IS-AS-1US IS-AS-1US
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: global traffic HTTP traffic detected: GET /ws HTTP/1.1Host: 67.217.62.106:4443User-Agent: Go-http-client/1.1Connection: UpgradeKey: 4fdab31bb8e2932dfe20f92f3fdea3e6eebd95389486a97ad3543bb1583efe62Sec-WebSocket-Key: jhCCtGGF33HQoR6MWGiUwQ==Sec-WebSocket-Version: 13UUID: b43dfc4b543363da522193b18b484cdbUpgrade: websocket
Source: unknown HTTP traffic detected: POST /api/client/update?arch=amd64&commit=08059e95dacafe0bf6e5782f8e2c8ec9cd8c5a17&os=windows HTTP/1.1Host: 67.217.62.106:4443User-Agent: SPARK COMMIT: 08059e95dacafe0bf6e5782f8e2c8ec9cd8c5a17Content-Length: 384Content-Type: application/octet-streamSecret: 9720ab8477877d05d378b601eb96dd83d800b53b6e2aeb71f69584a5b85b7ee6Accept-Encoding: gzipData Raw: 00 d1 90 85 18 8b ff 63 98 5e 11 5e 5d b8 69 9e 0f 49 58 c3 2f 19 02 7d f2 15 50 2a 9c 28 49 96 4b df 81 9d b6 f0 bc d5 80 19 14 f1 3e 58 d4 71 3d 91 b2 c8 8c 7b 77 cf fc c2 6d 39 a2 b0 3c 29 f6 e3 42 96 e0 37 ad 9a 86 3b 45 1b b1 1b 97 f3 79 24 d7 2f 8d 44 ab 4b bb 42 41 db 78 e1 69 5e ca 75 94 a9 9b f5 53 e8 5c c1 36 85 7e d9 e9 41 4e 00 38 1e 1b 76 82 2f fb 85 d1 d0 88 86 2c fc 6f aa 8a 58 46 8a 30 61 fb 6f ca ad a8 a0 c5 9b c1 a2 d4 f3 22 da ec 6b 66 6b 36 64 87 88 ed da 4e fc fc 2e 12 e3 84 68 40 f6 cb 76 b1 25 4d 1a b9 a3 0d f9 d6 85 72 de 26 7d 13 09 73 69 0d 3d 06 5c 7a 45 4f 86 a6 0a 74 e4 ff 04 a4 c7 b9 e7 6a 6e e3 68 1f e5 03 dc d4 68 e4 5e 30 03 59 f6 68 1f 64 af cb 5d 03 2e 39 3f 39 67 f4 9a a7 e9 5a 53 bb 85 c7 8c 08 0e 55 f3 7e 0b d0 56 13 ec 7c 5d 39 45 f5 83 d3 29 67 7b 08 9d b7 3c 07 1f 06 96 98 c9 68 89 23 fb 0e 23 50 2e ae 1a 6f 97 6f 00 96 11 47 f3 65 09 5a e1 1c 89 a7 81 1f 60 34 58 78 0d f8 e2 c7 18 0c 3a 69 7e 73 7c 8e 96 8d 7c 49 de e2 97 85 7a 3e b7 3e 7c ff 2d f9 13 1c f2 70 ed a9 89 6b 7e 12 ff b9 6d 4e 6e 0f be 73 3d ce 03 85 79 67 82 61 4d 5f aa c8 f6 f0 c7 b8 f2 f3 d4 4d bc a4 87 c4 79 dd 9c 84 41 1a 35 Data Ascii: c^^]iIX/}P*(IK>Xq={wm9<)B7;Ey$/DKBAxi^uS\6~AN8v/,oXF0ao"kfk6dN.h@v%Mr&}si=\zEOtjnhh^0Yhd].9?9gZSU~V|]9E)g{<h##P.ooGeZ`4Xx:i~s||Iz>>|-pk~mNns=ygaM_MyA5
Installs a raw input device (often for capturing keystrokes)
Source: msoia.exe, 00000000.00000002.3007239925.00000000010A9000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: (no semicolon) is unavailable()<>@,;:\"/[]?=,M3.2.0,M11.1.0-- is not valid0601021504Z0700476837158203125: cannot parse <invalid Value>ASCII_Hex_DigitAccept-EncodingAccept-LanguageAddDllDirectoryCLSIDFromProgIDCLSIDFromStringCallWindowProcWClientAuthType(CreateHardLinkWCreatePopupMenuCreateWindowExWDeviceIoControlDiacriticalDot;DialogBoxParamWDoubleRightTee;DownLeftVector;DragAcceptFilesDrawThemeTextExDuplicateHandleEBCDIC-CyrillicExcludeClipRectFailed to find Failed to load FindNextVolumeWFindVolumeCloseFlushViewOfFileGateway TimeoutGdiplusShutdownGetActiveObjectGetActiveWindowGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetDpiForWindowGetEnhMetaFileWGetMonitorInfoWGetProcessTimesGetRawInputDataGetSecurityInfoGetStartupInfoWGetTextMetricsWGetThreadLocaleGreaterGreater;Hanifi_RohingyaHorizontalLine;ISO-10646-UCS-2ISO-10646-UCS-4ISO-10646-UTF-1ISO-2022-CN-EXTISO121Canadian1ISO122Canadian2ISO139CSN369103ISO13JISC6220jpISO141JUSIB1002ISO14JISC6220roISO16PortugueseISO19LatinGreekISO47BSViewdataISO5427CyrillicISO60Norwegian1ISO61Norwegian2ISO646-JP-OCR-BISO646basic1983ISO_8859-1:1987ISO_8859-2:1987ISO_8859-3:1988ISO_8859-4:1988ISO_8859-5:1988ISO_8859-6:1987ISO_8859-7:1987ISO_8859-8:1988ISO_8859-9:1989Idempotency-KeyImpersonateSelfInsertMenuItemWInvisibleComma;InvisibleTimes;IsWindowEnabledIsWindowVisibleIsWow64Process2LeftDownVector;LeftRightArrow;Leftrightarrow;Length RequiredLessSlantEqual;LockWorkStationLongRightArrow;Longrightarrow;LowerLeftArrow;NestedLessLess;Not ImplementedNotGreaterLess;NotLessGreater;NotSubsetEqual;NotVerticalBar;NtResumeProcessOSDEBCDICDF0415OleUninitializeOpenCurlyQuote;OpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPlayEnhMetaFilePostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutReverseElement;RightTeeVector;RightVectorBar;RtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockSameSite=StrictSetActiveWindowSetCommTimeoutsSetSecurityInfoSetSuspendStateSetVolumeLabelWSetWinEventHookShortDownArrow;ShortLeftArrow;SquareSuperset;StringFromCLSIDStringFromGUID2TERMINAL_OUTPUTTERMINAL_RESIZETildeFullEqual;TrackMouseEventUnicodeJapaneseUnmapViewOfFileUpperLeftArrow;WindowFromPointWindows30Latin1Windows31Latin1Windows31Latin2Windows31Latin5X-Forwarded-ForZeroWidthSpace;] memstr_35de6992-8
Source: classification engine Classification label: mal92.troj.evad.winEXE@4/1@0/1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:120:WilError_03
Source: C:\Users\user\Desktop\msoia.exe File opened: C:\Windows\system32\6ec84874b867175fdfa32d548bdbbac49283c91d50340984410e80dd4dd6028aAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\msoia.exe "C:\Users\user\Desktop\msoia.exe"
Source: C:\Users\user\Desktop\msoia.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\msoia.exe Process created: C:\Windows\System32\cmd.exe cmd ver
Source: C:\Users\user\Desktop\msoia.exe Process created: C:\Windows\System32\cmd.exe cmd ver Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32 Jump to behavior
Source: msoia.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: msoia.exe Static file information: File size 16498688 > 1048576
Source: msoia.exe Static PE information: Raw size of .bss3 is bigger than: 0x100000 < 0xfbae00
Source: msoia.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .bss3
PE file contains sections with non-standard names
Source: msoia.exe Static PE information: section name: .bss0
Source: msoia.exe Static PE information: section name: .symtab
Source: msoia.exe Static PE information: section name: .bss1
Source: msoia.exe Static PE information: section name: .bss2
Source: msoia.exe Static PE information: section name: .bss3
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED87940 push eax; ret 0_3_000001CA8ED87941
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED87940 push eax; ret 0_3_000001CA8ED87941
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED87940 push eax; ret 0_3_000001CA8ED87941
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED87940 push eax; ret 0_3_000001CA8ED87941
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED87940 push eax; ret 0_3_000001CA8ED87941
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED87940 push eax; ret 0_3_000001CA8ED87941
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED87940 push eax; ret 0_3_000001CA8ED87941
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED79E8D pushad ; iretd 0_3_000001CA8ED79E8E
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED79E8D pushad ; iretd 0_3_000001CA8ED79E8E
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED85BBD pushad ; iretd 0_3_000001CA8ED85BBE
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED85BBD pushad ; iretd 0_3_000001CA8ED85BBE
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED85BBD pushad ; iretd 0_3_000001CA8ED85BBE
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED85BBD pushad ; iretd 0_3_000001CA8ED85BBE
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED85BBD pushad ; iretd 0_3_000001CA8ED85BBE
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED85BBD pushad ; iretd 0_3_000001CA8ED85BBE
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED85BBD pushad ; iretd 0_3_000001CA8ED85BBE
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED87940 push eax; ret 0_3_000001CA8ED87941
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED87940 push eax; ret 0_3_000001CA8ED87941
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED87940 push eax; ret 0_3_000001CA8ED87941
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED87940 push eax; ret 0_3_000001CA8ED87941
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED87940 push eax; ret 0_3_000001CA8ED87941
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED87940 push eax; ret 0_3_000001CA8ED87941
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED87940 push eax; ret 0_3_000001CA8ED87941
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED79E8D pushad ; iretd 0_3_000001CA8ED79E8E
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED79E8D pushad ; iretd 0_3_000001CA8ED79E8E
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED85BBD pushad ; iretd 0_3_000001CA8ED85BBE
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED85BBD pushad ; iretd 0_3_000001CA8ED85BBE
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED85BBD pushad ; iretd 0_3_000001CA8ED85BBE
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED85BBD pushad ; iretd 0_3_000001CA8ED85BBE
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED85BBD pushad ; iretd 0_3_000001CA8ED85BBE
Source: C:\Users\user\Desktop\msoia.exe Code function: 0_3_000001CA8ED85BBD pushad ; iretd 0_3_000001CA8ED85BBE

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\msoia.exe Memory written: PID: 7004 base: 7FFE22370008 value: E9 EB D9 E9 FF Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Memory written: PID: 7004 base: 7FFE2220D9F0 value: E9 20 26 16 00 Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Memory written: PID: 7004 base: 7FFE2238000D value: E9 BB CB EB FF Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Memory written: PID: 7004 base: 7FFE2223CBC0 value: E9 5A 34 14 00 Jump to behavior
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 4443
Source: unknown Network traffic detected: HTTP traffic on port 4443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 4443
Source: unknown Network traffic detected: HTTP traffic on port 4443 -> 49732
Source: C:\Users\user\Desktop\msoia.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Users\user\Desktop\msoia.exe Special instruction interceptor: First address: 2CEC7EB instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\msoia.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect debuggers (CloseHandle check)
Source: C:\Users\user\Desktop\msoia.exe Handle closed: DEADC0DE
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\msoia.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\msoia.exe Process token adjusted: Debug Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\msoia.exe NtMapViewOfSection: Direct from: 0x1DC7C19 Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe NtProtectVirtualMemory: Direct from: 0x1EE4F0B Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe NtUnmapViewOfSection: Direct from: 0x1DA60BD Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe NtSetInformationProcess: Direct from: 0x20BCA39 Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe NtClose: Direct from: 0x20846AF
Source: C:\Users\user\Desktop\msoia.exe NtQueryInformationProcess: Direct from: 0x1DC9386 Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe NtProtectVirtualMemory: Direct from: 0x1DE16FB Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe NtSetInformationThread: Direct from: 0x1DDD8D6 Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe NtProtectVirtualMemory: Direct from: 0x204A369 Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe NtQueryInformationProcess: Direct from: 0x233B8C9 Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe NtProtectVirtualMemory: Direct from: 0x205A5D3 Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe NtProtectVirtualMemory: Direct from: 0x21E0F2A Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe NtProtectVirtualMemory: Direct from: 0x21E6A86 Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe NtProtectVirtualMemory: Direct from: 0x234DA85 Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe NtProtectVirtualMemory: Direct from: 0x204DB2D Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe NtQueryInformationProcess: Direct from: 0x1DB4570 Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe NtQueryInformationProcess: Direct from: 0x1DB77FA Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe NtProtectVirtualMemory: Indirect: 0x1806AF4 Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe NtProtectVirtualMemory: Direct from: 0x1E0A3FF Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe NtQueryInformationProcess: Direct from: 0x1EF4C51 Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe NtSetInformationThread: Direct from: 0x2129CB4 Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe NtProtectVirtualMemory: Direct from: 0x1D5C0F2 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\msoia.exe Process created: C:\Windows\System32\cmd.exe cmd ver Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Spark RAT
Source: Yara match File source: 00000000.00000002.3007239925.00000000010A9000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: msoia.exe PID: 7004, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Spark RAT
Source: Yara match File source: 00000000.00000002.3007239925.00000000010A9000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: msoia.exe PID: 7004, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1541453 Sample: msoia.exe Startdate: 24/10/2024 Architecture: WINDOWS Score: 92 16 Suricata IDS alerts for network traffic 2->16 18 Yara detected Spark RAT 2->18 20 Machine Learning detection for sample 2->20 22 3 other signatures 2->22 6 msoia.exe 1 2->6         started        process3 dnsIp4 14 67.217.62.106, 4443, 49730, 49732 IS-AS-1US United States 6->14 24 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 6->24 26 Tries to evade analysis by execution special instruction (VM detection) 6->26 28 Tries to detect debuggers (CloseHandle check) 6->28 30 2 other signatures 6->30 10 conhost.exe 6->10         started        12 cmd.exe 1 6->12         started        signatures5 process6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
67.217.62.106
 unknown United States
19318 IS-AS-1US true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://67.217.62.106:4443/ws true
    		unknown
    http://67.217.62.106:4443/api/client/update?arch=amd64&commit=08059e95dacafe0bf6e5782f8e2c8ec9cd8c5a17&os=windows true
      		unknown