Edit tour

Windows Analysis Report
msoia.exe

Overview

General Information

Sample name:	msoia.exe
Analysis ID:	1541453
MD5:	42cbc8f4803da0f2b8bbd3d13a37fc58
SHA1:	c82f1ba623b5f4210ddf7f20c40d4cec70298d92
SHA256:	fcf9b70253437c56bb00315da859ce8e40d6410ec405c1473b374359d5277209
Tags:	exeuser-N3utralZ0ne
Infos:

Detection

Spark RAT

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Suricata IDS alerts for network traffic

Yara detected Spark RAT

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Hides threads from debuggers

Machine Learning detection for sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Sigma detected: Potentially Suspicious Malware Callback Communication

Tries to detect debuggers (CloseHandle check)

Tries to evade analysis by execution special instruction (VM detection)

Uses known network protocols on non-standard ports

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Enables debug privileges

Entry point lies outside standard sections

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

msoia.exe (PID: 7004 cmdline: "C:\Users\user\Desktop\msoia.exe" MD5: 42CBC8F4803DA0F2B8BBD3D13A37FC58)

conhost.exe (PID: 7036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6008 cmdline: cmd ver MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3007239925.00000000010A9000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_SparkRAT	Yara detected Spark RAT	Joe Security
Process Memory Space: msoia.exe PID: 7004	JoeSecurity_SparkRAT	Yara detected Spark RAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Malware Callback Communication

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 67.217.62.106, DestinationIsIpv6: false, DestinationPort: 4443, EventID: 3, Image: C:\Users\user\Desktop\msoia.exe, Initiated: true, ProcessId: 7004, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Suricata Signatures

ET MALWARE Spark RAT CnC Checkin (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T21:05:17.355535+0200	2047681	1	A Network Trojan was detected	192.168.2.4	49732	67.217.62.106	4443	TCP

ET MALWARE Win32/SparkRAT CnC Checkin (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T21:05:11.707648+0200	2046669	1	Malware Command and Control Activity Detected	192.168.2.4	49730	67.217.62.106	4443	TCP

ETPRO MALWARE Spark RAT User-Agent Observed

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T21:05:17.355535+0200	2855151	1	A Network Trojan was detected	192.168.2.4	49732	67.217.62.106	4443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: msoia.exe

Joe Sandbox ML: detected

Source: msoia.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2047681 - Severity 1 - ET MALWARE Spark RAT CnC Checkin (POST) : 192.168.2.4:49732 -> 67.217.62.106:4443
Source: Network traffic	Suricata IDS: 2046669 - Severity 1 - ET MALWARE Win32/SparkRAT CnC Checkin (GET) : 192.168.2.4:49730 -> 67.217.62.106:4443
Source: Network traffic	Suricata IDS: 2855151 - Severity 1 - ETPRO MALWARE Spark RAT User-Agent Observed : 192.168.2.4:49732 -> 67.217.62.106:4443

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 4443
Source: unknown	Network traffic detected: HTTP traffic on port 4443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 4443
Source: unknown	Network traffic detected: HTTP traffic on port 4443 -> 49732

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 67.217.62.106:4443

Source: Joe Sandbox View

IP Address: 67.217.62.106 67.217.62.106

Source: Joe Sandbox View

ASN Name: IS-AS-1US IS-AS-1US

Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106
Source: unknown	TCP traffic detected without corresponding DNS query: 67.217.62.106

Source: global traffic

HTTP traffic detected: GET /ws HTTP/1.1Host: 67.217.62.106:4443User-Agent: Go-http-client/1.1Connection: UpgradeKey: 4fdab31bb8e2932dfe20f92f3fdea3e6eebd95389486a97ad3543bb1583efe62Sec-WebSocket-Key: jhCCtGGF33HQoR6MWGiUwQ==Sec-WebSocket-Version: 13UUID: b43dfc4b543363da522193b18b484cdbUpgrade: websocket

Source: unknown

HTTP traffic detected: POST /api/client/update?arch=amd64&commit=08059e95dacafe0bf6e5782f8e2c8ec9cd8c5a17&os=windows HTTP/1.1Host: 67.217.62.106:4443User-Agent: SPARK COMMIT: 08059e95dacafe0bf6e5782f8e2c8ec9cd8c5a17Content-Length: 384Content-Type: application/octet-streamSecret: 9720ab8477877d05d378b601eb96dd83d800b53b6e2aeb71f69584a5b85b7ee6Accept-Encoding: gzipData Raw: 00 d1 90 85 18 8b ff 63 98 5e 11 5e 5d b8 69 9e 0f 49 58 c3 2f 19 02 7d f2 15 50 2a 9c 28 49 96 4b df 81 9d b6 f0 bc d5 80 19 14 f1 3e 58 d4 71 3d 91 b2 c8 8c 7b 77 cf fc c2 6d 39 a2 b0 3c 29 f6 e3 42 96 e0 37 ad 9a 86 3b 45 1b b1 1b 97 f3 79 24 d7 2f 8d 44 ab 4b bb 42 41 db 78 e1 69 5e ca 75 94 a9 9b f5 53 e8 5c c1 36 85 7e d9 e9 41 4e 00 38 1e 1b 76 82 2f fb 85 d1 d0 88 86 2c fc 6f aa 8a 58 46 8a 30 61 fb 6f ca ad a8 a0 c5 9b c1 a2 d4 f3 22 da ec 6b 66 6b 36 64 87 88 ed da 4e fc fc 2e 12 e3 84 68 40 f6 cb 76 b1 25 4d 1a b9 a3 0d f9 d6 85 72 de 26 7d 13 09 73 69 0d 3d 06 5c 7a 45 4f 86 a6 0a 74 e4 ff 04 a4 c7 b9 e7 6a 6e e3 68 1f e5 03 dc d4 68 e4 5e 30 03 59 f6 68 1f 64 af cb 5d 03 2e 39 3f 39 67 f4 9a a7 e9 5a 53 bb 85 c7 8c 08 0e 55 f3 7e 0b d0 56 13 ec 7c 5d 39 45 f5 83 d3 29 67 7b 08 9d b7 3c 07 1f 06 96 98 c9 68 89 23 fb 0e 23 50 2e ae 1a 6f 97 6f 00 96 11 47 f3 65 09 5a e1 1c 89 a7 81 1f 60 34 58 78 0d f8 e2 c7 18 0c 3a 69 7e 73 7c 8e 96 8d 7c 49 de e2 97 85 7a 3e b7 3e 7c ff 2d f9 13 1c f2 70 ed a9 89 6b 7e 12 ff b9 6d 4e 6e 0f be 73 3d ce 03 85 79 67 82 61 4d 5f aa c8 f6 f0 c7 b8 f2 f3 d4 4d bc a4 87 c4 79 dd 9c 84 41 1a 35 Data Ascii: c^^]iIX/}P*(IK>Xq={wm9<)B7;Ey$/DKBAxi^uS\6~AN8v/,oXF0ao"kfk6dN.h@v%Mr&}si=\zEOtjnhh^0Yhd].9?9gZSU~V|]9E)g{<h##P.ooGeZ`4Xx:i~s||Iz>>|-pk~mNns=ygaM_MyA5

Source: msoia.exe, 00000000.00000002.3007239925.00000000010A9000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: (no semicolon) is unavailable()<>@,;:\"/[]?=,M3.2.0,M11.1.0-- is not valid0601021504Z0700476837158203125: cannot parse <invalid Value>ASCII_Hex_DigitAccept-EncodingAccept-LanguageAddDllDirectoryCLSIDFromProgIDCLSIDFromStringCallWindowProcWClientAuthType(CreateHardLinkWCreatePopupMenuCreateWindowExWDeviceIoControlDiacriticalDot;DialogBoxParamWDoubleRightTee;DownLeftVector;DragAcceptFilesDrawThemeTextExDuplicateHandleEBCDIC-CyrillicExcludeClipRectFailed to find Failed to load FindNextVolumeWFindVolumeCloseFlushViewOfFileGateway TimeoutGdiplusShutdownGetActiveObjectGetActiveWindowGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetDpiForWindowGetEnhMetaFileWGetMonitorInfoWGetProcessTimesGetRawInputDataGetSecurityInfoGetStartupInfoWGetTextMetricsWGetThreadLocaleGreaterGreater;Hanifi_RohingyaHorizontalLine;ISO-10646-UCS-2ISO-10646-UCS-4ISO-10646-UTF-1ISO-2022-CN-EXTISO121Canadian1ISO122Canadian2ISO139CSN369103ISO13JISC6220jpISO141JUSIB1002ISO14JISC6220roISO16PortugueseISO19LatinGreekISO47BSViewdataISO5427CyrillicISO60Norwegian1ISO61Norwegian2ISO646-JP-OCR-BISO646basic1983ISO_8859-1:1987ISO_8859-2:1987ISO_8859-3:1988ISO_8859-4:1988ISO_8859-5:1988ISO_8859-6:1987ISO_8859-7:1987ISO_8859-8:1988ISO_8859-9:1989Idempotency-KeyImpersonateSelfInsertMenuItemWInvisibleComma;InvisibleTimes;IsWindowEnabledIsWindowVisibleIsWow64Process2LeftDownVector;LeftRightArrow;Leftrightarrow;Length RequiredLessSlantEqual;LockWorkStationLongRightArrow;Longrightarrow;LowerLeftArrow;NestedLessLess;Not ImplementedNotGreaterLess;NotLessGreater;NotSubsetEqual;NotVerticalBar;NtResumeProcessOSDEBCDICDF0415OleUninitializeOpenCurlyQuote;OpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPlayEnhMetaFilePostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutReverseElement;RightTeeVector;RightVectorBar;RtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockSameSite=StrictSetActiveWindowSetCommTimeoutsSetSecurityInfoSetSuspendStateSetVolumeLabelWSetWinEventHookShortDownArrow;ShortLeftArrow;SquareSuperset;StringFromCLSIDStringFromGUID2TERMINAL_OUTPUTTERMINAL_RESIZETildeFullEqual;TrackMouseEventUnicodeJapaneseUnmapViewOfFileUpperLeftArrow;WindowFromPointWindows30Latin1Windows31Latin1Windows31Latin2Windows31Latin5X-Forwarded-ForZeroWidthSpace;]

memstr_35de6992-8

Source: classification engine

Classification label: mal92.troj.evad.winEXE@4/1@0/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:120:WilError_03

Source: C:\Users\user\Desktop\msoia.exe

File opened: C:\Windows\system32\6ec84874b867175fdfa32d548bdbbac49283c91d50340984410e80dd4dd6028aAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor

Source: C:\Users\user\Desktop\msoia.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\msoia.exe "C:\Users\user\Desktop\msoia.exe"
Source: C:\Users\user\Desktop\msoia.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\msoia.exe	Process created: C:\Windows\System32\cmd.exe cmd ver
Source: C:\Users\user\Desktop\msoia.exe	Process created: C:\Windows\System32\cmd.exe cmd ver	Jump to behavior

Source: C:\Users\user\Desktop\msoia.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Users\user\Desktop\msoia.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32

Jump to behavior

Source: msoia.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: msoia.exe

Static file information: File size 16498688 > 1048576

Source: msoia.exe

Static PE information: Raw size of .bss3 is bigger than: 0x100000 < 0xfbae00

Source: msoia.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: initial sample

Static PE information: section where entry point is pointing to: .bss3

Source: msoia.exe	Static PE information: section name: .bss0
Source: msoia.exe	Static PE information: section name: .symtab
Source: msoia.exe	Static PE information: section name: .bss1
Source: msoia.exe	Static PE information: section name: .bss2
Source: msoia.exe	Static PE information: section name: .bss3

Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED87940 push eax; ret	0_3_000001CA8ED87941
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED87940 push eax; ret	0_3_000001CA8ED87941
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED87940 push eax; ret	0_3_000001CA8ED87941
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED87940 push eax; ret	0_3_000001CA8ED87941
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED87940 push eax; ret	0_3_000001CA8ED87941
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED87940 push eax; ret	0_3_000001CA8ED87941
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED87940 push eax; ret	0_3_000001CA8ED87941
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED79E8D pushad ; iretd	0_3_000001CA8ED79E8E
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED79E8D pushad ; iretd	0_3_000001CA8ED79E8E
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED85BBD pushad ; iretd	0_3_000001CA8ED85BBE
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED85BBD pushad ; iretd	0_3_000001CA8ED85BBE
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED85BBD pushad ; iretd	0_3_000001CA8ED85BBE
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED85BBD pushad ; iretd	0_3_000001CA8ED85BBE
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED85BBD pushad ; iretd	0_3_000001CA8ED85BBE
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED85BBD pushad ; iretd	0_3_000001CA8ED85BBE
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED85BBD pushad ; iretd	0_3_000001CA8ED85BBE
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED87940 push eax; ret	0_3_000001CA8ED87941
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED87940 push eax; ret	0_3_000001CA8ED87941
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED87940 push eax; ret	0_3_000001CA8ED87941
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED87940 push eax; ret	0_3_000001CA8ED87941
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED87940 push eax; ret	0_3_000001CA8ED87941
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED87940 push eax; ret	0_3_000001CA8ED87941
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED87940 push eax; ret	0_3_000001CA8ED87941
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED79E8D pushad ; iretd	0_3_000001CA8ED79E8E
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED79E8D pushad ; iretd	0_3_000001CA8ED79E8E
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED85BBD pushad ; iretd	0_3_000001CA8ED85BBE
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED85BBD pushad ; iretd	0_3_000001CA8ED85BBE
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED85BBD pushad ; iretd	0_3_000001CA8ED85BBE
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED85BBD pushad ; iretd	0_3_000001CA8ED85BBE
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED85BBD pushad ; iretd	0_3_000001CA8ED85BBE
Source: C:\Users\user\Desktop\msoia.exe	Code function: 0_3_000001CA8ED85BBD pushad ; iretd	0_3_000001CA8ED85BBE

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\msoia.exe	Memory written: PID: 7004 base: 7FFE22370008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Memory written: PID: 7004 base: 7FFE2220D9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Memory written: PID: 7004 base: 7FFE2238000D value: E9 BB CB EB FF	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Memory written: PID: 7004 base: 7FFE2223CBC0 value: E9 5A 34 14 00	Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 4443
Source: unknown	Network traffic detected: HTTP traffic on port 4443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 4443
Source: unknown	Network traffic detected: HTTP traffic on port 4443 -> 49732

Source: C:\Users\user\Desktop\msoia.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\Desktop\msoia.exe

Special instruction interceptor: First address: 2CEC7EB instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor
Source: C:\Users\user\Desktop\msoia.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM win32_Processor

Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\msoia.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\msoia.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Thread information set: HideFromDebugger			Jump to behavior

Tries to detect debuggers (CloseHandle check)

Source: C:\Users\user\Desktop\msoia.exe

Handle closed: DEADC0DE

Source: C:\Users\user\Desktop\msoia.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\msoia.exe

Process token adjusted: Debug

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\msoia.exe	NtMapViewOfSection: Direct from: 0x1DC7C19	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	NtProtectVirtualMemory: Direct from: 0x1EE4F0B	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	NtUnmapViewOfSection: Direct from: 0x1DA60BD	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	NtSetInformationProcess: Direct from: 0x20BCA39	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	NtClose: Direct from: 0x20846AF
Source: C:\Users\user\Desktop\msoia.exe	NtQueryInformationProcess: Direct from: 0x1DC9386	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	NtProtectVirtualMemory: Direct from: 0x1DE16FB	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	NtSetInformationThread: Direct from: 0x1DDD8D6	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	NtProtectVirtualMemory: Direct from: 0x204A369	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	NtQueryInformationProcess: Direct from: 0x233B8C9	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	NtProtectVirtualMemory: Direct from: 0x205A5D3	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	NtProtectVirtualMemory: Direct from: 0x21E0F2A	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	NtProtectVirtualMemory: Direct from: 0x21E6A86	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	NtProtectVirtualMemory: Direct from: 0x234DA85	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	NtProtectVirtualMemory: Direct from: 0x204DB2D	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	NtQueryInformationProcess: Direct from: 0x1DB4570	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	NtQueryInformationProcess: Direct from: 0x1DB77FA	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	NtProtectVirtualMemory: Indirect: 0x1806AF4	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	NtProtectVirtualMemory: Direct from: 0x1E0A3FF	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	NtQueryInformationProcess: Direct from: 0x1EF4C51	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	NtSetInformationThread: Direct from: 0x2129CB4	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	NtProtectVirtualMemory: Direct from: 0x1D5C0F2	Jump to behavior

Source: C:\Users\user\Desktop\msoia.exe

Process created: C:\Windows\System32\cmd.exe cmd ver

Jump to behavior

Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msoia.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\msoia.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Spark RAT

Source: Yara match	File source: 00000000.00000002.3007239925.00000000010A9000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msoia.exe PID: 7004, type: MEMORYSTR

Remote Access Functionality

Yara detected Spark RAT

Source: Yara match	File source: 00000000.00000002.3007239925.00000000010A9000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msoia.exe PID: 7004, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	12 Virtualization/Sandbox Evasion	1 Credential API Hooking	32 Security Software Discovery	Remote Services	1 Credential API Hooking	11 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	11 Process Injection	11 Input Capture	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	11 Input Capture	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	114 System Information Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
msoia.exe	100%	Joe Sandbox ML

Name	Malicious	Antivirus Detection	Reputation
http://67.217.62.106:4443/ws	true		unknown
http://67.217.62.106:4443/api/client/update?arch=amd64&commit=08059e95dacafe0bf6e5782f8e2c8ec9cd8c5a17&os=windows	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
67.217.62.106	unknown	United States		19318	IS-AS-1US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541453
Start date and time:	2024-10-24 21:04:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	msoia.exe
Detection:	MAL
Classification:	mal92.troj.evad.winEXE@4/1@0/1
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target msoia.exe, PID 7004 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: msoia.exe

Simulations

Behavior and APIs

Time	Type	Description
15:05:10	API Interceptor	82x Sleep call for process: msoia.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
67.217.62.106	dockerc.exe	Get hash	malicious	Spark RAT	Browse	67.217.62.106:4443/api/client/update?arch=amd64&commit=08059e95dacafe0bf6e5782f8e2c8ec9cd8c5a17&os=windows
	dockerc.exe	Get hash	malicious	Spark RAT	Browse	67.217.62.106:4443/api/client/update?arch=amd64&commit=08059e95dacafe0bf6e5782f8e2c8ec9cd8c5a17&os=windows
	mk6NFaiemI.exe	Get hash	malicious	Spark RAT	Browse	67.217.62.106:4443/api/client/update?arch=amd64&commit=08059e95dacafe0bf6e5782f8e2c8ec9cd8c5a17&os=windows
	idvzN3Tv6e.elf	Get hash	malicious	Unknown	Browse	67.217.62.106:4443/api/client/update?arch=amd64&commit=08059e95dacafe0bf6e5782f8e2c8ec9cd8c5a17&os=linux
	mk6NFaiemI.exe	Get hash	malicious	Spark RAT	Browse	67.217.62.106:4443/api/client/update?arch=amd64&commit=08059e95dacafe0bf6e5782f8e2c8ec9cd8c5a17&os=windows
	FjVs8q7ufl.exe	Get hash	malicious	Spark RAT	Browse	67.217.62.106:4443/api/client/update?arch=amd64&commit=08059e95dacafe0bf6e5782f8e2c8ec9cd8c5a17&os=windows

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
IS-AS-1US	https://www.yola.com/es/zendesk-sso?return_to=http://york.iwill.app.br/	Get hash	malicious	Unknown	Browse	74.50.66.170
	https://www.yola.com/es/zendesk-sso?return_to=http://york.iwill.app.br/	Get hash	malicious	Unknown	Browse	74.50.66.170
	https://www.yola.com/es/zendesk-sso?return_to=http://york.iwill.app.br/	Get hash	malicious	Unknown	Browse	74.50.66.170
	Request for 30 Downpayment.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	162.250.125.14
	d600758023374f78d58acafbcaf94af66ad203b28e22a.exe	Get hash	malicious	Quasar	Browse	173.214.167.207
	arm5.elf	Get hash	malicious	Mirai	Browse	216.219.94.103
	Pago factura_7273390_2024_I_53430000.exe	Get hash	malicious	FormBook, GuLoader	Browse	162.250.125.14
	na.elf	Get hash	malicious	Mirai	Browse	162.246.17.57
	Install_SH9C73KR_x91.43.exe	Get hash	malicious	Unknown	Browse	205.209.126.138
	Mobile_App_Project_Details.xlsm	Get hash	malicious	Unknown	Browse	162.250.124.142

Process:	C:\Users\user\Desktop\msoia.exe
File Type:	GLS_BINARY_LSB_FIRST
Category:	dropped
Size (bytes):	160
Entropy (8bit):	4.438743916256937
Encrypted:	false
SSDEEP:	3:rmHfvtH//STGlA1yqGlYUGk+ldyHGlgZty:rmHcKtGFlqty
MD5:	E467C82627F5E1524FDB4415AF19FC73
SHA1:	B86E3AA40E9FBED0494375A702EABAF1F2E56F8E
SHA-256:	116CD35961A2345CE210751D677600AADA539A66F046811FA70E1093E01F2540
SHA-512:	2A969893CC713D6388FDC768C009055BE1B35301A811A7E313D1AEEC1F75C88CCDDCD8308017A852093B1310811E90B9DA76B6330AACCF5982437D84F553183A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	................................xW4.4.....#Eg.......]..........+.H`........xW4.4.....#Eg......3.qq..7I......6........xW4.4.....#Eg......,..l..@E............

Static File Info

General

File type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.893412632665146
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	msoia.exe
File size:	16'498'688 bytes
MD5:	42cbc8f4803da0f2b8bbd3d13a37fc58
SHA1:	c82f1ba623b5f4210ddf7f20c40d4cec70298d92
SHA256:	fcf9b70253437c56bb00315da859ce8e40d6410ec405c1473b374359d5277209
SHA512:	209819e5d76f536d70e7aff1be6e9b9e4b8f2ffa887286dd27e282019f676b51caa788332ae0a0baf2f8799b0a0f4f517d101b71f71a603df17f696f5686abcb
SSDEEP:	393216:YsHCua3N0h5XbGqz2tZxeO5wgfR+4vhMxGhx+:Ym42h5aMkJ5wgfRdpMx0
TLSH:	0EF6234A65F593E4C4D34B40768A02DA33C1A59EC6FE8D2D3AC72C027F21D6B458AD7B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."......t7..V........F.......@...........................................`... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x186c2c7
Entrypoint Section:	.bss3
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	9da18038e0ba9a33fbbaf76636ea1aff

Entrypoint Preview

Instruction
push ebp
pushfd
dec eax
mov ebp, 4090D93Ah
movsd
push edi
movsb
das
add bp, E518h
dec eax
shr ebp, FFFFFFFFh
dec eax
lea ebp, dword ptr [ebp+ebp*4+0F058108h]
inc eax
sub ch, ch
dec eax
sub ebp, ebp
dec eax
mov ebp, dword ptr [esp+ebp*4+00000008h]
dec eax
mov dword ptr [esp+08h], 61D42C1Fh
push dword ptr [esp+00h]
popfd
dec eax
lea esp, dword ptr [esp+08h]
call 00007F8434AF5FAAh
xchg eax, ebp
push es
inc ecx
sbb byte ptr [edi], bl
movsd
in eax, dx
lds edi, ecx
xchg eax, edi
pushfd
iretd
and eax, 97F1E5F5h
pushfd
iretd
sub eax, 971123DDh
pushfd
iretd
int 35h
mov edx, dword ptr [ecx+4DCF9C97h]
fstp qword ptr [ecx]
cmp dword ptr [edi-221A3064h], edx
mov esi, 5CB7631Ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x116f418	0x50	.bss3
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1fc4460	0x28c8	.bss3
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1fc7000	0xcc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x100b000	0x58	.bss2
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x377268	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x379000	0x37c168	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6f6000	0x168be0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x85f000	0x47c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss0	0x860000	0x12334	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.symtab	0x873000	0x4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ
.bss1	0x874000	0x7961f9	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.bss2	0x100b000	0x810	0xa00	6ae61253a71fbeca72f7987a93af3722	False	0.025390625	data	0.1467378384792775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss3	0x100c000	0xfbad28	0xfbae00	b0ec3c095d0d5654a4acffe2905e961b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x1fc7000	0xcc	0x200	9edd410f1d862a8b2beb3d5369a5fe97	False	0.302734375	data	1.9454927733312573	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
kernel32.dll	WriteFile
kernel32.dll	GetSystemTimeAsFileTime
kernel32.dll	HeapAlloc, HeapFree, ExitProcess, GetModuleHandleA, LoadLibraryA, GetProcAddress

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-24T21:05:11.707648+0200	2046669	ET MALWARE Win32/SparkRAT CnC Checkin (GET)	1	192.168.2.4	49730	67.217.62.106	4443	TCP
2024-10-24T21:05:17.355535+0200	2047681	ET MALWARE Spark RAT CnC Checkin (POST)	1	192.168.2.4	49732	67.217.62.106	4443	TCP
2024-10-24T21:05:17.355535+0200	2855151	ETPRO MALWARE Spark RAT User-Agent Observed	1	192.168.2.4	49732	67.217.62.106	4443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 21:05:10.980827093 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:10.986376047 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:10.986659050 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:10.986990929 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:10.993262053 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:11.661786079 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:11.707648039 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:14.663079977 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:14.715552092 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:16.631038904 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:16.631692886 CEST	49732	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:16.637464046 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:16.639446974 CEST	4443	49732	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:16.639528990 CEST	49732	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:16.640028954 CEST	49732	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:16.646888018 CEST	4443	49732	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:16.794431925 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:16.843251944 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:17.306231022 CEST	4443	49732	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:17.306901932 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:17.306945086 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:17.312344074 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:17.312546015 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:17.355535030 CEST	49732	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:17.402008057 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:17.403168917 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:17.408655882 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:20.403563023 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:20.403904915 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:20.409261942 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:21.693073034 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:21.698964119 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:21.824419975 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:21.830399036 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:21.855144024 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:21.855645895 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:21.905908108 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:21.985686064 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:21.985984087 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:21.991297007 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:23.525974035 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:23.526274920 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:23.539321899 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:24.861115932 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:24.866791964 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:25.022809029 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:25.023160934 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:25.028462887 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:26.402709007 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:26.403007984 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:26.408590078 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:27.987549067 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:27.992959023 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:28.149327040 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:28.149694920 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:28.155288935 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:29.402296066 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:29.406383038 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:29.411787033 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:30.783962965 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:30.926067114 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:31.068057060 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:31.068419933 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:31.073704958 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:32.324465036 CEST	49732	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:32.330238104 CEST	4443	49732	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:32.402911901 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:32.403172016 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:32.408626080 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:33.689495087 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:33.694997072 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:33.851335049 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:33.854506016 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:33.860003948 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:35.403227091 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:35.403760910 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:35.409162998 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:36.638391018 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:36.643892050 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:36.812625885 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:36.812925100 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:36.818332911 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:38.702475071 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:38.703042984 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:38.706257105 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:38.706325054 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:38.711899996 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:39.675409079 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:39.681186914 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:39.860074043 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:39.860330105 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:39.865869045 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:41.406199932 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:41.406677961 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:41.412333012 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:43.009900093 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:43.015870094 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:43.172744036 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:43.173207998 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:43.178795099 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:44.406933069 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:44.407212019 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:44.412718058 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:46.117973089 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:46.123478889 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:46.289047956 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:46.289387941 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:46.295409918 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:47.337512016 CEST	49732	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:47.342909098 CEST	4443	49732	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:47.401943922 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:47.402359009 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:47.407741070 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:49.082760096 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:49.089241028 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:49.245393991 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:49.245673895 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:49.251065969 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:50.402785063 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:50.403110981 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:50.410008907 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:51.735377073 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:51.741134882 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:51.897128105 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:51.897511005 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:51.903712034 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:53.403001070 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:53.403372049 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:53.409024954 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:54.730463028 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:54.736167908 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:54.892119884 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:54.892458916 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:54.897835970 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:56.403156042 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:56.403609037 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:56.410824060 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:57.673480034 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:57.679110050 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:57.835529089 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:57.836127043 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:57.841578960 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:59.431247950 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:05:59.431871891 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:05:59.443062067 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:01.319329023 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:01.325325012 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:01.484344006 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:01.484793901 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:01.491425037 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:02.346704960 CEST	49732	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:02.352999926 CEST	4443	49732	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:02.403352976 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:02.410204887 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:02.415644884 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:04.327090025 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:04.332636118 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:04.489411116 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:04.490351915 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:04.495904922 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:05.605618000 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:05.605916023 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:05.614820004 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:05.618036985 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:05.618104935 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:07.109932899 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:07.115555048 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:07.271703959 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:07.272597075 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:07.278018951 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:08.402741909 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:08.406516075 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:08.411951065 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:08.664489985 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:08.664647102 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:08.670228004 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:10.014416933 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:10.019931078 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:10.176069975 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:10.176343918 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:10.181761980 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:11.401842117 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:11.402100086 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:11.407460928 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:12.830413103 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:13.061747074 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:13.218065977 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:13.226794004 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:13.232218027 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:14.402975082 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:14.403276920 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:14.408787012 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:15.832873106 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:16.102958918 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:16.259599924 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:16.260060072 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:16.265852928 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:17.354965925 CEST	49732	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:17.360380888 CEST	4443	49732	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:17.402997017 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:17.405230045 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:17.410604000 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:18.824517012 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:18.830084085 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:18.985969067 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:18.986190081 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:18.991677046 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:20.403948069 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:20.404337883 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:20.409755945 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:21.913734913 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:21.919361115 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:22.075236082 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:22.075783014 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:22.081310034 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:23.402797937 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:23.403120041 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:23.408638954 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:25.147624016 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:25.153302908 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:25.313617945 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:25.313899994 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:25.319777012 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:26.879837990 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:26.880408049 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:26.880481958 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:26.880855083 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:26.880901098 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:26.881989002 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:26.903801918 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:28.195923090 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:28.201617956 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:28.357841015 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:28.358191967 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:28.363718033 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:29.405468941 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:29.405762911 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:29.411262989 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:31.198678970 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:31.204178095 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:31.362453938 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:31.362768888 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:31.368592978 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:32.364017963 CEST	49732	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:32.528004885 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:32.528286934 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:32.534708977 CEST	4443	49732	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:32.536520004 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:34.014225006 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:34.019980907 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:34.176819086 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:34.177262068 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:34.182697058 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:35.402256966 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:35.443872929 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:35.451384068 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:35.456778049 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:37.719757080 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:37.725847006 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:37.882121086 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:37.882411957 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:37.887969971 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:38.402908087 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:38.403325081 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:38.408802986 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:40.180389881 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:40.185856104 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:40.342020988 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:40.342297077 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:40.348222971 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:41.402761936 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:41.403155088 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:41.408866882 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:42.763861895 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:42.769393921 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:42.925414085 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:42.925762892 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:42.931240082 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:44.402942896 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:44.403285027 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:44.408741951 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:45.998311996 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:46.004153013 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:46.160419941 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:46.160736084 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:46.166234016 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:47.302642107 CEST	49732	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:47.308784008 CEST	4443	49732	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:47.308904886 CEST	49732	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:47.402090073 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:47.402374983 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:47.407660961 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:48.985363960 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:48.990953922 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:49.147010088 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:49.147280931 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:49.152816057 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:50.404511929 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:50.405035973 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:50.410581112 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:52.047235012 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:52.052817106 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:52.396748066 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:52.397146940 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:52.404232979 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:53.403271914 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:53.403646946 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:53.409034967 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:54.937479019 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:54.944180965 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:55.101622105 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:55.102005959 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:55.107546091 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:56.402525902 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:56.402868986 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:56.408440113 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:58.241570950 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:58.248090982 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:58.404381990 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:58.404664993 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:58.410191059 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:59.402826071 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:06:59.403165102 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:06:59.408615112 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:07:00.830259085 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:07:00.835886955 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:07:00.991880894 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:07:00.993027925 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:07:00.999047995 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:07:02.403261900 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:07:02.449398994 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:07:02.535085917 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:07:02.540661097 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:07:02.663747072 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:07:02.663885117 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:07:02.669698000 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:07:04.041670084 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:07:04.048088074 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:07:04.204052925 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:07:04.204503059 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:07:04.210136890 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:07:05.402874947 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:07:05.403156042 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:07:05.408659935 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:07:07.014887094 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:07:07.020857096 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:07:07.177175999 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:07:07.182059050 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:07:07.187566996 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:07:08.404243946 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:07:08.404584885 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:07:08.410067081 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:07:09.740206003 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:07:09.745815039 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:07:09.902614117 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:07:09.905647039 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:07:09.911057949 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:07:11.402868032 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:07:11.403444052 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:07:11.408998013 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:07:12.764286995 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:07:12.769799948 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:07:12.928937912 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:07:12.929220915 CEST	49730	4443	192.168.2.4	67.217.62.106
Oct 24, 2024 21:07:12.935950994 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:07:14.402348042 CEST	4443	49730	67.217.62.106	192.168.2.4
Oct 24, 2024 21:07:14.445362091 CEST	49730	4443	192.168.2.4	67.217.62.106

HTTP Request Dependency Graph

67.217.62.106:4443

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	67.217.62.106	4443	7004	C:\Users\user\Desktop\msoia.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:05:10.986990929 CEST	302	OUT	GET /ws HTTP/1.1 Host: 67.217.62.106:4443 User-Agent: Go-http-client/1.1 Connection: Upgrade Key: 4fdab31bb8e2932dfe20f92f3fdea3e6eebd95389486a97ad3543bb1583efe62 Sec-WebSocket-Key: jhCCtGGF33HQoR6MWGiUwQ== Sec-WebSocket-Version: 13 UUID: b43dfc4b543363da522193b18b484cdb Upgrade: websocket
Oct 24, 2024 21:05:11.661786079 CEST	203	IN	HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: rziYOmVl+vOQTZC6HC0nmRpS2UU= Secret: 9720ab8477877d05d378b601eb96dd83d800b53b6e2aeb71f69584a5b85b7ee6

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	67.217.62.106	4443	7004	C:\Users\user\Desktop\msoia.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:05:16.640028954 CEST	742	OUT	POST /api/client/update?arch=amd64&commit=08059e95dacafe0bf6e5782f8e2c8ec9cd8c5a17&os=windows HTTP/1.1 Host: 67.217.62.106:4443 User-Agent: SPARK COMMIT: 08059e95dacafe0bf6e5782f8e2c8ec9cd8c5a17 Content-Length: 384 Content-Type: application/octet-stream Secret: 9720ab8477877d05d378b601eb96dd83d800b53b6e2aeb71f69584a5b85b7ee6 Accept-Encoding: gzip Data Raw: 00 d1 90 85 18 8b ff 63 98 5e 11 5e 5d b8 69 9e 0f 49 58 c3 2f 19 02 7d f2 15 50 2a 9c 28 49 96 4b df 81 9d b6 f0 bc d5 80 19 14 f1 3e 58 d4 71 3d 91 b2 c8 8c 7b 77 cf fc c2 6d 39 a2 b0 3c 29 f6 e3 42 96 e0 37 ad 9a 86 3b 45 1b b1 1b 97 f3 79 24 d7 2f 8d 44 ab 4b bb 42 41 db 78 e1 69 5e ca 75 94 a9 9b f5 53 e8 5c c1 36 85 7e d9 e9 41 4e 00 38 1e 1b 76 82 2f fb 85 d1 d0 88 86 2c fc 6f aa 8a 58 46 8a 30 61 fb 6f ca ad a8 a0 c5 9b c1 a2 d4 f3 22 da ec 6b 66 6b 36 64 87 88 ed da 4e fc fc 2e 12 e3 84 68 40 f6 cb 76 b1 25 4d 1a b9 a3 0d f9 d6 85 72 de 26 7d 13 09 73 69 0d 3d 06 5c 7a 45 4f 86 a6 0a 74 e4 ff 04 a4 c7 b9 e7 6a 6e e3 68 1f e5 03 dc d4 68 e4 5e 30 03 59 f6 68 1f 64 af cb 5d 03 2e 39 3f 39 67 f4 9a a7 e9 5a 53 bb 85 c7 8c 08 0e 55 f3 7e 0b d0 56 13 ec 7c 5d 39 45 f5 83 d3 29 67 7b 08 9d b7 3c 07 1f 06 96 98 c9 68 89 23 fb 0e 23 50 2e ae 1a 6f 97 6f 00 96 11 47 f3 65 09 5a e1 1c 89 a7 81 1f 60 34 58 78 0d f8 e2 c7 18 0c 3a 69 7e 73 7c 8e 96 8d 7c 49 de e2 97 85 7a 3e b7 3e 7c ff 2d f9 13 1c f2 [TRUNCATED] Data Ascii: c^^]iIX/}P*(IK>Xq={wm9<)B7;Ey$/DKBAxi^uS\6~AN8v/,oXF0ao"kfk6dN.h@v%Mr&}si=\zEOtjnhh^0Yhd].9?9gZSU~V\|]9E)g{<h##P.ooGeZ`4Xx:i~s\|\|Iz>>\|-pk~mNns=ygaM_MyA5
Oct 24, 2024 21:05:17.306231022 CEST	133	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Date: Thu, 24 Oct 2024 19:05:17 GMT Content-Length: 10 Data Raw: 7b 22 63 6f 64 65 22 3a 30 7d Data Ascii: {"code":0}

Target ID:	0
Start time:	15:05:06
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\msoia.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\msoia.exe"
Imagebase:	0xd30000
File size:	16'498'688 bytes
MD5 hash:	42CBC8F4803DA0F2B8BBD3D13A37FC58
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Yara matches:	Rule: JoeSecurity_SparkRAT, Description: Yara detected Spark RAT, Source: 00000000.00000002.3007239925.00000000010A9000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	15:05:06
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	15:05:09
Start date:	24/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd ver
Imagebase:	0x7ff772340000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report msoia.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\Mup\user-PC\PIPE\samr

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
msoia.exe