Edit tour

Windows Analysis Report
SOA.scr.exe

Overview

General Information

Sample name:	SOA.scr.exe
Analysis ID:	1589986
MD5:	10e27194bbd1fe9c32b2a47539357723
SHA1:	b321ba31b6782b2399477ee8ce54db7f3e83dc80
SHA256:	8d3b00bb743c8d64e425c6014136080805acaa3cac12bf62151bb1e19908a89f
Tags:	exeMassLoggeruser-adrian__luca
Infos:

Detection

MassLogger RAT, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected PureLog Stealer

Yara detected Telegram RAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SOA.scr.exe (PID: 4280 cmdline: "C:\Users\user\Desktop\SOA.scr.exe" MD5: 10E27194BBD1FE9C32B2A47539357723)

powershell.exe (PID: 6364 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 1716 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 760 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVjuqWQWhLhEQl" /XML "C:\Users\user\AppData\Local\Temp\tmp2349.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SOA.scr.exe (PID: 6604 cmdline: "C:\Users\user\Desktop\SOA.scr.exe" MD5: 10E27194BBD1FE9C32B2A47539357723)

SOA.scr.exe (PID: 5376 cmdline: "C:\Users\user\Desktop\SOA.scr.exe" MD5: 10E27194BBD1FE9C32B2A47539357723)

eVjuqWQWhLhEQl.exe (PID: 4072 cmdline: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe MD5: 10E27194BBD1FE9C32B2A47539357723)

schtasks.exe (PID: 1708 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVjuqWQWhLhEQl" /XML "C:\Users\user\AppData\Local\Temp\tmp2E55.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

eVjuqWQWhLhEQl.exe (PID: 1812 cmdline: "C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe" MD5: 10E27194BBD1FE9C32B2A47539357723)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "serverche399@gpsamsterdamqroup.com", "Password": "     j4YX(KT7UCZ1      ", "Server": "fiber13.dnsiaas.com", "To": "almightstephen@gmail.com", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2217258111.00000000058D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.3442078497.0000000000403000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000008.00000002.3442078497.0000000000403000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xdfa7:$a1: get_encryptedPassword 0xe2cf:$a2: get_encryptedUsername 0xdd42:$a3: get_timePasswordChanged 0xde63:$a4: get_passwordField 0xdfbd:$a5: set_encryptedPassword 0xf919:$a7: get_logins 0xf5ca:$a8: GetOutlookPasswords 0xf3bc:$a9: StartKeylogger 0xf869:$a10: KeyLoggerEventArgs 0xf419:$a11: KeyLoggerEventArgsEventHandler
00000008.00000002.3444644839.0000000003237000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2214369600.0000000003E99000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.2214369600.0000000003E99000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2214369600.0000000003E99000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2214369600.0000000003E99000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xfb17:$a1: get_encryptedPassword 0x26937:$a1: get_encryptedPassword 0xfe3f:$a2: get_encryptedUsername 0x26c5f:$a2: get_encryptedUsername 0xf8b2:$a3: get_timePasswordChanged 0x266d2:$a3: get_timePasswordChanged 0xf9d3:$a4: get_passwordField 0x267f3:$a4: get_passwordField 0xfb2d:$a5: set_encryptedPassword 0x2694d:$a5: set_encryptedPassword 0x11489:$a7: get_logins 0x282a9:$a7: get_logins 0x1113a:$a8: GetOutlookPasswords 0x27f5a:$a8: GetOutlookPasswords 0x10f2c:$a9: StartKeylogger 0x27d4c:$a9: StartKeylogger 0x113d9:$a10: KeyLoggerEventArgs 0x281f9:$a10: KeyLoggerEventArgs 0x10f89:$a11: KeyLoggerEventArgsEventHandler 0x27da9:$a11: KeyLoggerEventArgsEventHandler
0000000D.00000002.3445148159.0000000002C87000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2214369600.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.2214369600.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2214369600.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2214369600.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x18ba2f:$a1: get_encryptedPassword 0x18bd57:$a2: get_encryptedUsername 0x18b7ca:$a3: get_timePasswordChanged 0x18b8eb:$a4: get_passwordField 0x18ba45:$a5: set_encryptedPassword 0x18d3a1:$a7: get_logins 0x18d052:$a8: GetOutlookPasswords 0x18ce44:$a9: StartKeylogger 0x18d2f1:$a10: KeyLoggerEventArgs 0x18cea1:$a11: KeyLoggerEventArgsEventHandler
00000009.00000002.2240442640.0000000003156000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2212788552.0000000002F76000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: SOA.scr.exe PID: 4280	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: SOA.scr.exe PID: 4280	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SOA.scr.exe PID: 4280	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: SOA.scr.exe PID: 4280	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2802f:$a1: get_encryptedPassword 0xbbb99:$a1: get_encryptedPassword 0x28348:$a2: get_encryptedUsername 0xbbeb2:$a2: get_encryptedUsername 0x27dde:$a3: get_timePasswordChanged 0xbb948:$a3: get_timePasswordChanged 0x27eff:$a4: get_passwordField 0xbba69:$a4: get_passwordField 0x28045:$a5: set_encryptedPassword 0xbbbaf:$a5: set_encryptedPassword 0x29948:$a7: get_logins 0xbd4b2:$a7: get_logins 0x295f9:$a8: GetOutlookPasswords 0xbd163:$a8: GetOutlookPasswords 0x293eb:$a9: StartKeylogger 0xbcf55:$a9: StartKeylogger 0x29898:$a10: KeyLoggerEventArgs 0xbd402:$a10: KeyLoggerEventArgs 0x29448:$a11: KeyLoggerEventArgsEventHandler 0xbcfb2:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: SOA.scr.exe PID: 5376	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: SOA.scr.exe PID: 5376	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SOA.scr.exe PID: 5376	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x55ba4:$a1: get_encryptedPassword 0x55ebd:$a2: get_encryptedUsername 0x55953:$a3: get_timePasswordChanged 0x55a74:$a4: get_passwordField 0x55bba:$a5: set_encryptedPassword 0x574bd:$a7: get_logins 0x5716e:$a8: GetOutlookPasswords 0x56f60:$a9: StartKeylogger 0x5740d:$a10: KeyLoggerEventArgs 0x56fbd:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: eVjuqWQWhLhEQl.exe PID: 4072	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: eVjuqWQWhLhEQl.exe PID: 1812	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: eVjuqWQWhLhEQl.exe PID: 1812	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SOA.scr.exe.32a60c4.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SOA.scr.exe.58d0000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SOA.scr.exe.58d0000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.eVjuqWQWhLhEQl.exe.34861e4.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.SOA.scr.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.SOA.scr.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
0.2.SOA.scr.exe.3eb0790.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.SOA.scr.exe.3eb0790.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SOA.scr.exe.3eb0790.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SOA.scr.exe.3eb0790.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
0.2.SOA.scr.exe.3eb0790.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x123ab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x118a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x11bb7:$a4: \Orbitum\User Data\Default\Login Data 0x129af:$a5: \Kometa\User Data\Default\Login Data
0.2.SOA.scr.exe.32a60c4.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SOA.scr.exe.3e99970.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.SOA.scr.exe.3e99970.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SOA.scr.exe.3e99970.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SOA.scr.exe.3e99970.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0x25fc7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0x262ef:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0x25d62:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0x25e83:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x25fdd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x27939:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x275ea:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x273dc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x27889:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler 0x27439:$a11: KeyLoggerEventArgsEventHandler
0.2.SOA.scr.exe.3e99970.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x141ab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2afcb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x136a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a4c9:$a3: \Google\Chrome\User Data\Default\Login Data 0x139b7:$a4: \Orbitum\User Data\Default\Login Data 0x2a7d7:$a4: \Orbitum\User Data\Default\Login Data 0x147af:$a5: \Kometa\User Data\Default\Login Data 0x2b5cf:$a5: \Kometa\User Data\Default\Login Data
9.2.eVjuqWQWhLhEQl.exe.34861e4.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SOA.scr.exe.3eb0790.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.SOA.scr.exe.3eb0790.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SOA.scr.exe.3eb0790.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SOA.scr.exe.3eb0790.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
0.2.SOA.scr.exe.3eb0790.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x141ab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x136a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x139b7:$a4: \Orbitum\User Data\Default\Login Data 0x147af:$a5: \Kometa\User Data\Default\Login Data
0.2.SOA.scr.exe.3e99970.4.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.SOA.scr.exe.3e99970.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SOA.scr.exe.3e99970.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SOA.scr.exe.3e99970.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
0.2.SOA.scr.exe.3e99970.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x123ab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x118a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x11bb7:$a4: \Orbitum\User Data\Default\Login Data 0x129af:$a5: \Kometa\User Data\Default\Login Data
9.2.eVjuqWQWhLhEQl.exe.32644bc.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SOA.scr.exe.308439c.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SOA.scr.exe.2fcba04.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.eVjuqWQWhLhEQl.exe.31abb24.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 27 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SOA.scr.exe", ParentImage: C:\Users\user\Desktop\SOA.scr.exe, ParentProcessId: 4280, ParentProcessName: SOA.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe", ProcessId: 6364, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVjuqWQWhLhEQl" /XML "C:\Users\user\AppData\Local\Temp\tmp2E55.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVjuqWQWhLhEQl" /XML "C:\Users\user\AppData\Local\Temp\tmp2E55.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe, ParentImage: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe, ParentProcessId: 4072, ParentProcessName: eVjuqWQWhLhEQl.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVjuqWQWhLhEQl" /XML "C:\Users\user\AppData\Local\Temp\tmp2E55.tmp", ProcessId: 1708, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVjuqWQWhLhEQl" /XML "C:\Users\user\AppData\Local\Temp\tmp2349.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVjuqWQWhLhEQl" /XML "C:\Users\user\AppData\Local\Temp\tmp2349.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SOA.scr.exe", ParentImage: C:\Users\user\Desktop\SOA.scr.exe, ParentProcessId: 4280, ParentProcessName: SOA.scr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVjuqWQWhLhEQl" /XML "C:\Users\user\AppData\Local\Temp\tmp2349.tmp", ProcessId: 760, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SOA.scr.exe", ParentImage: C:\Users\user\Desktop\SOA.scr.exe, ParentProcessId: 4280, ParentProcessName: SOA.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe", ProcessId: 6364, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVjuqWQWhLhEQl" /XML "C:\Users\user\AppData\Local\Temp\tmp2349.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVjuqWQWhLhEQl" /XML "C:\Users\user\AppData\Local\Temp\tmp2349.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SOA.scr.exe", ParentImage: C:\Users\user\Desktop\SOA.scr.exe, ParentProcessId: 4280, ParentProcessName: SOA.scr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVjuqWQWhLhEQl" /XML "C:\Users\user\AppData\Local\Temp\tmp2349.tmp", ProcessId: 760, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T13:05:31.593711+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49725	158.101.44.242	80	TCP
2025-01-13T13:05:32.578045+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49728	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.SOA.scr.exe.3eb0790.3.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "serverche399@gpsamsterdamqroup.com", "Password": " j4YX(KT7UCZ1 ", "Server": "fiber13.dnsiaas.com", "To": "almightstephen@gmail.com", "Port": 587}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Virustotal: Detection: 29%			Perma Link

Multi AV Scanner detection for submitted file

Source: SOA.scr.exe	Virustotal: Detection: 29%			Perma Link
Source: SOA.scr.exe	ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SOA.scr.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: SOA.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49788 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49795 version: TLS 1.0

Source: SOA.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 0142A7D8h	8_2_0142A3C0
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 0142A0B1h	8_2_01429E00
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 0142E640h	8_2_0142E398
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 0142A7D8h	8_2_0142A3B0
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 0142A7D8h	8_2_0142A706
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 0142EA98h	8_2_0142E7F0
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 0142EEF0h	8_2_0142EC48
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 0142F348h	8_2_0142F0A0
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 0142F7A0h	8_2_0142F4F8
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 0142FBF8h	8_2_0142F950
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 05CC18A0h	8_2_05CC15F8
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 05CC3840h	8_2_05CC3598
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 05CC0740h	8_2_05CC0498
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 05CC26E0h	8_2_05CC2438
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 05CC49A0h	8_2_05CC46F8
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_05CC51E8
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 05CC1448h	8_2_05CC11A0
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 05CC33E8h	8_2_05CC3140
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 05CC02E8h	8_2_05CC0040
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then mov esp, ebp	8_2_05CC93F8
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 05CC4548h	8_2_05CC42A0
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 05CC0FF0h	8_2_05CC0D48
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 05CC5EB5h	8_2_05CC5CD8
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 05CC683Fh	8_2_05CC5CD8
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 05CC2F90h	8_2_05CC2CE8
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 05CC2152h	8_2_05CC1EA8
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 05CC40F0h	8_2_05CC3E48
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_05CC59FB
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 05CC3C98h	8_2_05CC39F0
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 05CC0B98h	8_2_05CC08F0
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 05CC2B38h	8_2_05CC2890
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_05CC581B
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 05CC4DF8h	8_2_05CC4B50
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 4x nop then jmp 05CC1CF8h	8_2_05CC1A50
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 4x nop then jmp 0127A7D8h	13_2_0127A3C0
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 4x nop then jmp 0127A0B1h	13_2_01279E00
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 4x nop then jmp 0127A7D8h	13_2_0127A3B0
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 4x nop then jmp 0127E640h	13_2_0127E220
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 4x nop then jmp 0127A7D8h	13_2_0127A706
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 4x nop then jmp 0127EA98h	13_2_0127E7F0
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 4x nop then jmp 0127EEF0h	13_2_0127EC48
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 4x nop then jmp 0127F348h	13_2_0127F0A0
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 4x nop then jmp 0127F7A0h	13_2_0127F4F8
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 4x nop then jmp 0127FBF8h	13_2_0127F950
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 4x nop then jmp 063595ADh	13_2_06359270
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 4x nop then jmp 0635AA10h	13_2_0635A768
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 4x nop then jmp 0635B718h	13_2_0635B470
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 4x nop then jmp 06358811h	13_2_06358568
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 4x nop then jmp 0635B2C0h	13_2_0635B018
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 4x nop then jmp 063583B9h	13_2_06358110
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 4x nop then jmp 063590C1h	13_2_06358E18
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 4x nop then jmp 06357F61h	13_2_06357CB8
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 4x nop then jmp 0635BFC8h	13_2_0635BD20
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 4x nop then jmp 0635AE68h	13_2_0635ABC0
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 4x nop then jmp 0635BB70h	13_2_0635B8C8
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 4x nop then jmp 06358C69h	13_2_063589C0

Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49728 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49725 -> 158.101.44.242:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49788 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49795 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: SOA.scr.exe, 00000008.00000002.3444644839.000000000315E000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3445148159.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: SOA.scr.exe, 00000008.00000002.3444644839.000000000315E000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3445148159.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: SOA.scr.exe, 00000008.00000002.3444644839.0000000003152000.00000004.00000800.00020000.00000000.sdmp, SOA.scr.exe, 00000008.00000002.3444644839.000000000315E000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3445148159.0000000002B9C000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3445148159.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: SOA.scr.exe, 00000008.00000002.3444644839.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3445148159.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: SOA.scr.exe, 00000008.00000002.3444644839.000000000315E000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3445148159.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: SOA.scr.exe, 00000000.00000002.2214369600.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, SOA.scr.exe, 00000000.00000002.2214369600.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3442079237.0000000000413000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: SOA.scr.exe, 00000008.00000002.3444644839.000000000315E000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3445148159.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: SOA.scr.exe, eVjuqWQWhLhEQl.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: SOA.scr.exe, eVjuqWQWhLhEQl.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: SOA.scr.exe, eVjuqWQWhLhEQl.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: SOA.scr.exe, 00000008.00000002.3444644839.000000000317F000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3445148159.0000000002BCF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: SOA.scr.exe, 00000008.00000002.3444644839.000000000317F000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3445148159.0000000002BCF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: SOA.scr.exe, 00000000.00000002.2212788552.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, SOA.scr.exe, 00000008.00000002.3444644839.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 00000009.00000002.2240442640.0000000003071000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3445148159.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SOA.scr.exe, 00000000.00000002.2214369600.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, SOA.scr.exe, 00000000.00000002.2214369600.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3442079237.0000000000413000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: SOA.scr.exe, 00000008.00000002.3444644839.000000000315E000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3445148159.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: SOA.scr.exe, 00000000.00000002.2214369600.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, SOA.scr.exe, 00000000.00000002.2214369600.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, SOA.scr.exe, 00000008.00000002.3444644839.000000000315E000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3442079237.0000000000413000.00000040.00000400.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3445148159.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: SOA.scr.exe, 00000008.00000002.3444644839.000000000315E000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3445148159.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/d
Source: SOA.scr.exe, eVjuqWQWhLhEQl.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.SOA.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SOA.scr.exe.3eb0790.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SOA.scr.exe.3eb0790.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SOA.scr.exe.3e99970.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SOA.scr.exe.3e99970.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SOA.scr.exe.3eb0790.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SOA.scr.exe.3eb0790.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SOA.scr.exe.3e99970.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SOA.scr.exe.3e99970.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000008.00000002.3442078497.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2214369600.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2214369600.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SOA.scr.exe PID: 4280, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SOA.scr.exe PID: 5376, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 0_2_01504204	0_2_01504204
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 0_2_015079D9	0_2_015079D9
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_014219B8	8_2_014219B8
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_01429E00	8_2_01429E00
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_0142E38B	8_2_0142E38B
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_0142E398	8_2_0142E398
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_0142E7EB	8_2_0142E7EB
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_0142E7F0	8_2_0142E7F0
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_01422DD1	8_2_01422DD1
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_0142EC43	8_2_0142EC43
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_0142EC48	8_2_0142EC48
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_0142F09B	8_2_0142F09B
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_0142F0A0	8_2_0142F0A0
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_0142F4F3	8_2_0142F4F3
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_0142F4F8	8_2_0142F4F8
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_0142F943	8_2_0142F943
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_0142F950	8_2_0142F950
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_01429DEF	8_2_01429DEF
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC9120	8_2_05CC9120
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC8038	8_2_05CC8038
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC7398	8_2_05CC7398
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC6D50	8_2_05CC6D50
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC79E8	8_2_05CC79E8
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC15EF	8_2_05CC15EF
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC15F8	8_2_05CC15F8
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC3598	8_2_05CC3598
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC3593	8_2_05CC3593
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC048B	8_2_05CC048B
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC0498	8_2_05CC0498
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC2438	8_2_05CC2438
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC2433	8_2_05CC2433
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC46F8	8_2_05CC46F8
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC46F3	8_2_05CC46F3
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC8680	8_2_05CC8680
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC8670	8_2_05CC8670
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC51E8	8_2_05CC51E8
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC51E3	8_2_05CC51E3
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC119B	8_2_05CC119B
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC11A0	8_2_05CC11A0
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC3140	8_2_05CC3140
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC9110	8_2_05CC9110
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC3130	8_2_05CC3130
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC0040	8_2_05CC0040
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC802C	8_2_05CC802C
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC003B	8_2_05CC003B
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC7388	8_2_05CC7388
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC429B	8_2_05CC429B
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC42A0	8_2_05CC42A0
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC0D48	8_2_05CC0D48
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC6D3F	8_2_05CC6D3F
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC0D38	8_2_05CC0D38
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC5CCF	8_2_05CC5CCF
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC5CD8	8_2_05CC5CD8
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC2CDB	8_2_05CC2CDB
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC2CE8	8_2_05CC2CE8
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC1EA8	8_2_05CC1EA8
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC1EA3	8_2_05CC1EA3
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC3E48	8_2_05CC3E48
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC3E38	8_2_05CC3E38
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC79D8	8_2_05CC79D8
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC39E0	8_2_05CC39E0
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC39F0	8_2_05CC39F0
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC08EB	8_2_05CC08EB
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC08F0	8_2_05CC08F0
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC288B	8_2_05CC288B
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC2890	8_2_05CC2890
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC4B4B	8_2_05CC4B4B
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC4B50	8_2_05CC4B50
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC1A4B	8_2_05CC1A4B
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC1A50	8_2_05CC1A50
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 9_2_01724204	9_2_01724204
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 9_2_017279D9	9_2_017279D9
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 9_2_05BC1CD0	9_2_05BC1CD0
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 9_2_05BC34D0	9_2_05BC34D0
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 9_2_05BC1460	9_2_05BC1460
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 9_2_05BC1450	9_2_05BC1450
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 9_2_05BC3908	9_2_05BC3908
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 9_2_05BC90B0	9_2_05BC90B0
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 9_2_05BC1898	9_2_05BC1898
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 9_2_05BC1889	9_2_05BC1889
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 9_2_072F1620	9_2_072F1620
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 9_2_072F9A70	9_2_072F9A70
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 9_2_072F1612	9_2_072F1612
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 9_2_072F8860	9_2_072F8860
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 9_2_072F8851	9_2_072F8851
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_01272DD1	13_2_01272DD1
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0127DB08	13_2_0127DB08
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_01279E00	13_2_01279E00
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0127E220	13_2_0127E220
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0127E7E0	13_2_0127E7E0
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0127E7F0	13_2_0127E7F0
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0127EC45	13_2_0127EC45
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0127EC48	13_2_0127EC48
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0127F0A0	13_2_0127F0A0
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0127F090	13_2_0127F090
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0127F4E8	13_2_0127F4E8
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0127F4F8	13_2_0127F4F8
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0127F941	13_2_0127F941
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0127F950	13_2_0127F950
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_01279DEF	13_2_01279DEF
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0635E698	13_2_0635E698
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_06354560	13_2_06354560
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_06359270	13_2_06359270
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0635F3F8	13_2_0635F3F8
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_06350040	13_2_06350040
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0635C178	13_2_0635C178
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_06354C30	13_2_06354C30
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_063598D0	13_2_063598D0
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0635A768	13_2_0635A768
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0635A759	13_2_0635A759
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0635B470	13_2_0635B470
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0635B460	13_2_0635B460
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_06358565	13_2_06358565
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_06358568	13_2_06358568
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_06359262	13_2_06359262
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_06354340	13_2_06354340
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0635B018	13_2_0635B018
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_06350006	13_2_06350006
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0635B009	13_2_0635B009
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_06358110	13_2_06358110
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_06358100	13_2_06358100
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0635C169	13_2_0635C169
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_06358E18	13_2_06358E18
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_06358E08	13_2_06358E08
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_06354C79	13_2_06354C79
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_06357CB8	13_2_06357CB8
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_06357CA7	13_2_06357CA7
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0635BD20	13_2_0635BD20
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0635BD10	13_2_0635BD10
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0635ABB0	13_2_0635ABB0
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_06353BB8	13_2_06353BB8
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_06353BA8	13_2_06353BA8
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0635ABC0	13_2_0635ABC0
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0635B8B8	13_2_0635B8B8
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_063598C5	13_2_063598C5
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0635B8C8	13_2_0635B8C8
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_063589B2	13_2_063589B2
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_063589C0	13_2_063589C0

Source: SOA.scr.exe

Static PE information: invalid certificate

Source: SOA.scr.exe, 00000000.00000002.2212788552.0000000002E91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs SOA.scr.exe
Source: SOA.scr.exe, 00000000.00000002.2214369600.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs SOA.scr.exe
Source: SOA.scr.exe, 00000000.00000000.2191594334.0000000000AB2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSQlw.exep( vs SOA.scr.exe
Source: SOA.scr.exe, 00000000.00000002.2217258111.00000000058D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs SOA.scr.exe
Source: SOA.scr.exe, 00000000.00000002.2212788552.0000000002F76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs SOA.scr.exe
Source: SOA.scr.exe, 00000000.00000002.2218475186.0000000007540000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs SOA.scr.exe
Source: SOA.scr.exe, 00000000.00000002.2218215499.0000000007112000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs SOA.scr.exe
Source: SOA.scr.exe, 00000000.00000002.2218215499.0000000007112000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs SOA.scr.exe
Source: SOA.scr.exe, 00000000.00000002.2214369600.0000000003E99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs SOA.scr.exe
Source: SOA.scr.exe, 00000000.00000002.2214369600.0000000003E99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs SOA.scr.exe
Source: SOA.scr.exe, 00000000.00000002.2210880962.00000000010EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SOA.scr.exe
Source: SOA.scr.exe, 00000008.00000002.3442338347.0000000000FB7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SOA.scr.exe
Source: SOA.scr.exe, 00000008.00000002.3442078497.000000000041A000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs SOA.scr.exe
Source: SOA.scr.exe	Binary or memory string: OriginalFilenameSQlw.exep( vs SOA.scr.exe

Source: SOA.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 8.2.SOA.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SOA.scr.exe.3eb0790.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SOA.scr.exe.3eb0790.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SOA.scr.exe.3e99970.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SOA.scr.exe.3e99970.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SOA.scr.exe.3eb0790.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SOA.scr.exe.3eb0790.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SOA.scr.exe.3e99970.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SOA.scr.exe.3e99970.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000002.3442078497.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2214369600.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2214369600.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: SOA.scr.exe PID: 4280, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: SOA.scr.exe PID: 5376, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: SOA.scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: eVjuqWQWhLhEQl.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@18/11@2/2

Source: C:\Users\user\Desktop\SOA.scr.exe

File created: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5592:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1632:120:WilError_03

Source: C:\Users\user\Desktop\SOA.scr.exe

File created: C:\Users\user\AppData\Local\Temp\tmp2349.tmp

Jump to behavior

Source: SOA.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SOA.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\SOA.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SOA.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SOA.scr.exe, 00000008.00000002.3446883379.000000000410D000.00000004.00000800.00020000.00000000.sdmp, SOA.scr.exe, 00000008.00000002.3444644839.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, SOA.scr.exe, 00000008.00000002.3444644839.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, SOA.scr.exe, 00000008.00000002.3444644839.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, SOA.scr.exe, 00000008.00000002.3444644839.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, SOA.scr.exe, 00000008.00000002.3444644839.0000000003200000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3445148159.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3445148159.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3445148159.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3445148159.0000000002C44000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SOA.scr.exe	Virustotal: Detection: 29%
Source: SOA.scr.exe	ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\SOA.scr.exe

File read: C:\Users\user\Desktop\SOA.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SOA.scr.exe "C:\Users\user\Desktop\SOA.scr.exe"
Source: C:\Users\user\Desktop\SOA.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SOA.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVjuqWQWhLhEQl" /XML "C:\Users\user\AppData\Local\Temp\tmp2349.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SOA.scr.exe	Process created: C:\Users\user\Desktop\SOA.scr.exe "C:\Users\user\Desktop\SOA.scr.exe"
Source: C:\Users\user\Desktop\SOA.scr.exe	Process created: C:\Users\user\Desktop\SOA.scr.exe "C:\Users\user\Desktop\SOA.scr.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVjuqWQWhLhEQl" /XML "C:\Users\user\AppData\Local\Temp\tmp2E55.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process created: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe "C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe"
Source: C:\Users\user\Desktop\SOA.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVjuqWQWhLhEQl" /XML "C:\Users\user\AppData\Local\Temp\tmp2349.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process created: C:\Users\user\Desktop\SOA.scr.exe "C:\Users\user\Desktop\SOA.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process created: C:\Users\user\Desktop\SOA.scr.exe "C:\Users\user\Desktop\SOA.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVjuqWQWhLhEQl" /XML "C:\Users\user\AppData\Local\Temp\tmp2E55.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process created: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe "C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\SOA.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SOA.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\SOA.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: SOA.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SOA.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_0142BF80 push esp; ret	8_2_0142BFED
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_0142F093 push eax; retf	8_2_0142F09A
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_0142F4EB push ebx; retf	8_2_0142F4F2
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_0142BFE0 push esp; ret	8_2_0142BFED
Source: C:\Users\user\Desktop\SOA.scr.exe	Code function: 8_2_05CC08E3 pushad ; retf	8_2_05CC08EA
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0127BF80 push esp; ret	13_2_0127BFED
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_0127BFE0 push esp; ret	13_2_0127BFED
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_06353767 push es; retf	13_2_06353768
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_06354B36 push es; iretd	13_2_06354BE0
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Code function: 13_2_06354BB0 push es; iretd	13_2_06354BE0

Source: SOA.scr.exe	Static PE information: section name: .text entropy: 7.557870150917519
Source: eVjuqWQWhLhEQl.exe.0.dr	Static PE information: section name: .text entropy: 7.557870150917519

Source: C:\Users\user\Desktop\SOA.scr.exe

File created: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SOA.scr.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVjuqWQWhLhEQl" /XML "C:\Users\user\AppData\Local\Temp\tmp2349.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: eVjuqWQWhLhEQl.exe PID: 4072, type: MEMORYSTR

Source: C:\Users\user\Desktop\SOA.scr.exe	Memory allocated: 14C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Memory allocated: 2E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Memory allocated: 4E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Memory allocated: 9280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Memory allocated: 7C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Memory allocated: A280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Memory allocated: B280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Memory allocated: 1400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Memory allocated: 30E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Memory allocated: 16B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Memory allocated: 16C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Memory allocated: 3070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Memory allocated: 2EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Memory allocated: 8E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Memory allocated: 7850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Memory allocated: 9E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Memory allocated: AE50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Memory allocated: 1270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Memory allocated: 2B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Memory allocated: 2940000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SOA.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6051			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3531			Jump to behavior

Source: C:\Users\user\Desktop\SOA.scr.exe TID: 1600	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2940	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe TID: 3876	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SOA.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: eVjuqWQWhLhEQl.exe, 0000000D.00000002.3442700281.0000000000DB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllY
Source: SOA.scr.exe, 00000008.00000002.3443487964.00000000014A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SOA.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe

Code function: 13_2_06354560 LdrInitializeThunk,LdrInitializeThunk,

13_2_06354560

Source: C:\Users\user\Desktop\SOA.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\SOA.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SOA.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe"
Source: C:\Users\user\Desktop\SOA.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe"			Jump to behavior

Source: C:\Users\user\Desktop\SOA.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVjuqWQWhLhEQl" /XML "C:\Users\user\AppData\Local\Temp\tmp2349.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process created: C:\Users\user\Desktop\SOA.scr.exe "C:\Users\user\Desktop\SOA.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Process created: C:\Users\user\Desktop\SOA.scr.exe "C:\Users\user\Desktop\SOA.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVjuqWQWhLhEQl" /XML "C:\Users\user\AppData\Local\Temp\tmp2E55.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Process created: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe "C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SOA.scr.exe	Queries volume information: C:\Users\user\Desktop\SOA.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Queries volume information: C:\Users\user\Desktop\SOA.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SOA.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Queries volume information: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Queries volume information: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SOA.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 8.2.SOA.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA.scr.exe.3eb0790.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA.scr.exe.3e99970.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA.scr.exe.3eb0790.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA.scr.exe.3e99970.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3442078497.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2214369600.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2214369600.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOA.scr.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SOA.scr.exe PID: 5376, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.SOA.scr.exe.32a60c4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA.scr.exe.58d0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA.scr.exe.58d0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.eVjuqWQWhLhEQl.exe.34861e4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA.scr.exe.32a60c4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.eVjuqWQWhLhEQl.exe.34861e4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.eVjuqWQWhLhEQl.exe.32644bc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA.scr.exe.308439c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA.scr.exe.2fcba04.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.eVjuqWQWhLhEQl.exe.31abb24.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2217258111.00000000058D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2240442640.0000000003156000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2212788552.0000000002F76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.SOA.scr.exe.3eb0790.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA.scr.exe.3e99970.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA.scr.exe.3eb0790.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA.scr.exe.3e99970.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2214369600.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2214369600.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOA.scr.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eVjuqWQWhLhEQl.exe PID: 1812, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\SOA.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.SOA.scr.exe.3eb0790.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA.scr.exe.3e99970.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA.scr.exe.3eb0790.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA.scr.exe.3e99970.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3444644839.0000000003237000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2214369600.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3445148159.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2214369600.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOA.scr.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SOA.scr.exe PID: 5376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eVjuqWQWhLhEQl.exe PID: 1812, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 8.2.SOA.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA.scr.exe.3eb0790.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA.scr.exe.3e99970.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA.scr.exe.3eb0790.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA.scr.exe.3e99970.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3442078497.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2214369600.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2214369600.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOA.scr.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SOA.scr.exe PID: 5376, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.SOA.scr.exe.32a60c4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA.scr.exe.58d0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA.scr.exe.58d0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.eVjuqWQWhLhEQl.exe.34861e4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA.scr.exe.32a60c4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.eVjuqWQWhLhEQl.exe.34861e4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.eVjuqWQWhLhEQl.exe.32644bc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA.scr.exe.308439c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA.scr.exe.2fcba04.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.eVjuqWQWhLhEQl.exe.31abb24.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2217258111.00000000058D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2240442640.0000000003156000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2212788552.0000000002F76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.SOA.scr.exe.3eb0790.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA.scr.exe.3e99970.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA.scr.exe.3eb0790.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOA.scr.exe.3e99970.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2214369600.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2214369600.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOA.scr.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eVjuqWQWhLhEQl.exe PID: 1812, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SOA.scr.exe	29%	Virustotal		Browse
SOA.scr.exe	37%	ReversingLabs	ByteCode-MSIL.Virus.Virut
SOA.scr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	37%	ReversingLabs	ByteCode-MSIL.Virus.Virut
C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe	29%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.112.1	true	false	high
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org/xml/d	SOA.scr.exe, 00000008.00000002.3444644839.000000000315E000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3445148159.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	SOA.scr.exe, 00000008.00000002.3444644839.000000000315E000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3445148159.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	SOA.scr.exe, 00000000.00000002.2214369600.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, SOA.scr.exe, 00000000.00000002.2214369600.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3442079237.0000000000413000.00000040.00000400.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	SOA.scr.exe, 00000008.00000002.3444644839.000000000317F000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3445148159.0000000002BCF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	SOA.scr.exe, 00000008.00000002.3444644839.000000000317F000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3445148159.0000000002BCF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	SOA.scr.exe, 00000008.00000002.3444644839.000000000315E000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3445148159.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	SOA.scr.exe, 00000008.00000002.3444644839.000000000315E000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3445148159.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	SOA.scr.exe, 00000008.00000002.3444644839.0000000003152000.00000004.00000800.00020000.00000000.sdmp, SOA.scr.exe, 00000008.00000002.3444644839.000000000315E000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3445148159.0000000002B9C000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3445148159.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	SOA.scr.exe, 00000008.00000002.3444644839.000000000315E000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3445148159.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	SOA.scr.exe, 00000008.00000002.3444644839.000000000315E000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3445148159.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SOA.scr.exe, 00000000.00000002.2212788552.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, SOA.scr.exe, 00000008.00000002.3444644839.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 00000009.00000002.2240442640.0000000003071000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3445148159.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	SOA.scr.exe, eVjuqWQWhLhEQl.exe.0.dr	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	SOA.scr.exe, 00000000.00000002.2214369600.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, SOA.scr.exe, 00000000.00000002.2214369600.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, eVjuqWQWhLhEQl.exe, 0000000D.00000002.3442079237.0000000000413000.00000040.00000400.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.112.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
158.101.44.242	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589986
Start date and time:	2025-01-13 13:04:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SOA.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@18/11@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 167 Number of non-executed functions: 31
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.190.160.20, 40.126.32.134, 20.190.160.22, 40.126.32.133, 40.126.32.140, 20.190.160.17, 40.126.32.74, 40.126.32.76, 13.107.246.45, 2.23.242.162, 4.175.87.197
Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, ocsp.edge.digicert.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:05:15	API Interceptor	1x Sleep call for process: SOA.scr.exe modified
07:05:17	API Interceptor	13x Sleep call for process: powershell.exe modified
07:05:18	API Interceptor	1x Sleep call for process: eVjuqWQWhLhEQl.exe modified
13:05:17	Task Scheduler	Run new task: eVjuqWQWhLhEQl path: C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.112.1	MACHINE SPECIFICATIONS.exe	Get hash	malicious	FormBook	Browse	www.buyspeechst.shop/w98i/
	trow.exe	Get hash	malicious	Unknown	Browse	www.rs-ag.com/
	fqbVL4XxCr.exe	Get hash	malicious	FormBook	Browse	www.vilakodsiy.sbs/w7eo/
	BalphRTkPS.exe	Get hash	malicious	FormBook	Browse	www.kkpmoneysocial.top/86am/
	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	www.buyspeechst.shop/qzi3/
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.buyspeechst.shop/w98i/
	wxl1r0lntg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	838596cm.nyafka.top/lineLongpolllinuxFlowercentraluploads.php
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	beammp.com/phpmyadmin/
158.101.44.242	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	nfKqna8HuC.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	aS39AS7b0P.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	sS7Jrsk0Z7.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	3qr7JBuNuX.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	lkETeneRL3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	prlsqnzspl.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	yqfze5TKW7.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	nfKqna8HuC.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	aS39AS7b0P.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	gGI2gVBI0f.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	ZpYFG94D4C.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
reallyfreegeoip.org	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	aS39AS7b0P.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	gGI2gVBI0f.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	ZpYFG94D4C.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
fp2e7a.wpc.phicdn.net	https://link.mail.beehiiv.com/ss/c/u001.dSnm3kaGd0BkNqLYPjeMfxWXllAYaBQ5sAn4OVD0j89GQGPZtwQlLugE_8c0wQMKfkpy5_wJ66BvE1Ognfzf5MlQMAeZ1qYs5mgwUBu3TAc6279Q43ISHz-HkVRC08yeDA4QvKWsqLTI1us9a0eXx18qeAibsZhjMMPvES-iG2zoVABKcwKIVWyx95VTVcFMSh6AEN3OCUfP_rXFvjKRbIPMuhn_dqYr8yUBKJvhhlJR9FhTpZPAULxzMbsYWp8k/4cu/JfECY1HwRl-ipvrNOktVcw/h23/h001.ibQl2N4tDD79TTzErix_sFWEGLTTuM6dTVMrTg3y5Dk	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://mrohailkhan.com/energyaustralia/auth/auhs1/	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://satelite.nv-ec.com/aU3V88/c1.php	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://support.te-wt.com/aU3V88/c1.php	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://www.flndmy.er-xu.com/aU3V88/c1.php	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://www.support.ue-vt.com/aU3V88/c1.php	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://www.lforgot.xw-er.com/aU3V88/c1.php	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://support.wt-nx.com/aU3V88/c1.php	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://www.maps.tv-wt.com/aU3V88/c1.php	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://htpss-encontrar.bicicletasraper.com/aU3V88/c1.php	Get hash	malicious	Unknown	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	trow.exe	Get hash	malicious	Unknown	Browse	147.154.3.56
	nfKqna8HuC.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	aS39AS7b0P.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	gGI2gVBI0f.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	ZpYFG94D4C.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	b6AGgIJ87g.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
CLOUDFLARENETUS	https://shortener.kountryboyzbailbonds.com/orVbdaZDUTFihPy?https://go.microsoft.com/ref=?ONSKE6784f8047cd90___store=ot&url=ONSKE6784f8047cd90&utm_source=follow-up-email&utm_medium=email&utm_campaign=abandoned%20helpful%20link	Get hash	malicious	Unknown	Browse	104.19.132.76
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	https://smartbooking.ma/	Get hash	malicious	Unknown	Browse	188.114.97.3
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	https://connexion-pro.support/adobe/s/assets/	Get hash	malicious	Unknown	Browse	104.21.11.138
	rRef6010273.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	g5.elf	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://aeromorning.com	Get hash	malicious	Unknown	Browse	104.26.4.102
	https://ngk.ae/hurda.html?email=lara.sutton@southerntrust.hscni.net	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	elitebotnet.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	172.68.1.238

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	Loader.exe	Get hash	malicious	Unknown	Browse	104.21.112.1
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	aS39AS7b0P.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	gGI2gVBI0f.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	ZpYFG94D4C.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1

Process:	C:\Users\user\Desktop\SOA.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eVjuqWQWhLhEQl.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380192968514367
Encrypted:	false
SSDEEP:	48:+WSU4xymI4RjGoUP7gZ9tK8NPZHUm7u1iMuge//ZPUXus:+LHxvII1LZ2KRH9OugQs
MD5:	DADAD5725D0B7E673F129B804B839B2F
SHA1:	F1BC9D22FF090979EFEE411A1D6BDB37C312D0EA
SHA-256:	9168F68619465407B5B9BC1E74279381C5E27599374B62C2FFA4BC62594252C6
SHA-512:	8690901FBE121B8CD102DB02EAF10A517BE00329AEEBD34F3A2B1174DFDC80D7967F1C18141C6A3EF798B4B964600BD850A3B6ECC39ED7E2A87675D2972EBF6C
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.....................@.[8]'.\........System.Data.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1wbyuppv.0iw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_he420c4a.tpp.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_njhfenlg.bxn.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ukcgwvlj.npw.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp2349.tmp

Download File

Process:	C:\Users\user\Desktop\SOA.scr.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1587
Entropy (8bit):	5.121338907099338
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtO0+xvn:cgergYrFdOFzOzN33ODOiDdKrsuTO1v
MD5:	DA05B340CCFEDFF5F74C5ADC3B922B76
SHA1:	DE1A6EF8076978CE0076B6FA6587EA5F55C17E7E
SHA-256:	AFA91904FB36B082C7E6D1664C8F891A471E757E523F4A44DF51276317730697
SHA-512:	EC60103B5E62BA1902E127C9F719958999784945A06B4843796B105FD32BC9C5FBDB56F1767C2576AE9ACA3D53EAD1DF993EF763910F7A4280AD924D79CD1722
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmp2E55.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1587
Entropy (8bit):	5.121338907099338
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtO0+xvn:cgergYrFdOFzOzN33ODOiDdKrsuTO1v
MD5:	DA05B340CCFEDFF5F74C5ADC3B922B76
SHA1:	DE1A6EF8076978CE0076B6FA6587EA5F55C17E7E
SHA-256:	AFA91904FB36B082C7E6D1664C8F891A471E757E523F4A44DF51276317730697
SHA-512:	EC60103B5E62BA1902E127C9F719958999784945A06B4843796B105FD32BC9C5FBDB56F1767C2576AE9ACA3D53EAD1DF993EF763910F7A4280AD924D79CD1722
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe

Download File

Process:	C:\Users\user\Desktop\SOA.scr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	617992
Entropy (8bit):	7.553187803541621
Encrypted:	false
SSDEEP:	12288:GNfLFsxVQBTXK+zb5Xvab/kYQaBIJotsdjUtxmAl12tZ9uLUxL7HNHJTs7m5kR:GMLQp605XCb/kYBIGsBUNqLB6
MD5:	10E27194BBD1FE9C32B2A47539357723
SHA1:	B321BA31B6782B2399477EE8CE54DB7F3E83DC80
SHA-256:	8D3B00BB743C8D64E425C6014136080805ACAA3CAC12BF62151BB1E19908A89F
SHA-512:	88BA8E03A52D28F874D8CBB244A0C2D2A7495163D2D3729C2E31AC9CFC1340771C53B6610405E2690EBF5B8E9CD25CDDACECC117D8284573D9D7A94EE0AD1B1F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37% Antivirus: Virustotal, Detection: 29%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g..............0......$.......1... ...@....@.. ....................................`.................................\|1..O....@..<!...........8...6........................................................... ............... ..H............text........ ...................... ..`.rsrc...<!...@..."..................@..@.reloc...............6..............@..B.................1......H........v......................................................................}......}......}......}.....(......*..0.................}......}......}......}.....(.......(............}.....{....(......{....(......{.....o......{.....o......{......r...p.d.d.s......{......r...p.x.d..s......{......r...p .....d..s......{......r1..p .....d..s......{......r;..p ,... ......s......{......rI..p T... ......s.......+<..{.......X...s.....rW..p..X...(....re..p...(....(....&...X.......-..{.

C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\SOA.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.553187803541621
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SOA.scr.exe
File size:	617'992 bytes
MD5:	10e27194bbd1fe9c32b2a47539357723
SHA1:	b321ba31b6782b2399477ee8ce54db7f3e83dc80
SHA256:	8d3b00bb743c8d64e425c6014136080805acaa3cac12bf62151bb1e19908a89f
SHA512:	88ba8e03a52d28f874d8cbb244a0c2d2a7495163d2d3729c2e31ac9cfc1340771c53b6610405e2690ebf5b8e9cd25cddacecc117d8284573d9d7a94ee0ad1b1f
SSDEEP:	12288:GNfLFsxVQBTXK+zb5Xvab/kYQaBIJotsdjUtxmAl12tZ9uLUxL7HNHJTs7m5kR:GMLQp605XCb/kYBIGsBUNqLB6
TLSH:	2DD4E01526AD8502D0A66FB01931D3F44B786E8CA931CB1B8FE5BDEFB876B457600363
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0......$.......1... ...@....@.. ....................................`................................

File Icon


Icon Hash:	132d922957b24d93

Static PE Info

General

Entrypoint:	0x4931ce
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67849DDF [Mon Jan 13 05:00:15 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
call far 0000h : 003E9999h
aas
int CCh
dec esp
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9317c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x94000	0x213c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x93800	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x98000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x911e4	0x91200	b55b1dac5f803d40391fb2aef5ac15bd	False	0.8557530550172265	data	7.557870150917519	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x94000	0x213c	0x2200	0cd2a66038e94ce23e5fb0ac9ffd642d	False	0.6402803308823529	data	6.461284455659159	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x98000	0xc	0x200	6c2747ec2c46c0e490c21b75f8a70ce2	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x940c8	0x1ca8	Device independent bitmap graphic, 48 x 96 x 24, image size 7296	0.6911123227917121
RT_GROUP_ICON	0x95d80	0x14	data	1.15
RT_VERSION	0x95da4	0x394	OpenPGP Secret Key	0.4104803493449782

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-13T13:05:31.593711+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49725	158.101.44.242	80	TCP
2025-01-13T13:05:32.578045+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49728	158.101.44.242	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 13:05:18.258415937 CET	49725	80	192.168.2.5	158.101.44.242
Jan 13, 2025 13:05:18.263283014 CET	80	49725	158.101.44.242	192.168.2.5
Jan 13, 2025 13:05:18.263345003 CET	49725	80	192.168.2.5	158.101.44.242
Jan 13, 2025 13:05:18.263823986 CET	49725	80	192.168.2.5	158.101.44.242
Jan 13, 2025 13:05:18.268651009 CET	80	49725	158.101.44.242	192.168.2.5
Jan 13, 2025 13:05:20.978880882 CET	49728	80	192.168.2.5	158.101.44.242
Jan 13, 2025 13:05:20.983660936 CET	80	49728	158.101.44.242	192.168.2.5
Jan 13, 2025 13:05:20.983735085 CET	49728	80	192.168.2.5	158.101.44.242
Jan 13, 2025 13:05:20.984225035 CET	49728	80	192.168.2.5	158.101.44.242
Jan 13, 2025 13:05:20.989249945 CET	80	49728	158.101.44.242	192.168.2.5
Jan 13, 2025 13:05:26.362152100 CET	80	49725	158.101.44.242	192.168.2.5
Jan 13, 2025 13:05:26.406132936 CET	49725	80	192.168.2.5	158.101.44.242
Jan 13, 2025 13:05:26.678204060 CET	49725	80	192.168.2.5	158.101.44.242
Jan 13, 2025 13:05:26.683120966 CET	80	49725	158.101.44.242	192.168.2.5
Jan 13, 2025 13:05:28.036020041 CET	80	49728	158.101.44.242	192.168.2.5
Jan 13, 2025 13:05:28.040086031 CET	49728	80	192.168.2.5	158.101.44.242
Jan 13, 2025 13:05:28.044931889 CET	80	49728	158.101.44.242	192.168.2.5
Jan 13, 2025 13:05:31.539174080 CET	80	49725	158.101.44.242	192.168.2.5
Jan 13, 2025 13:05:31.589317083 CET	49788	443	192.168.2.5	104.21.112.1
Jan 13, 2025 13:05:31.589373112 CET	443	49788	104.21.112.1	192.168.2.5
Jan 13, 2025 13:05:31.589493036 CET	49788	443	192.168.2.5	104.21.112.1
Jan 13, 2025 13:05:31.593710899 CET	49725	80	192.168.2.5	158.101.44.242
Jan 13, 2025 13:05:31.678361893 CET	49788	443	192.168.2.5	104.21.112.1
Jan 13, 2025 13:05:31.678381920 CET	443	49788	104.21.112.1	192.168.2.5
Jan 13, 2025 13:05:32.139378071 CET	443	49788	104.21.112.1	192.168.2.5
Jan 13, 2025 13:05:32.139575958 CET	49788	443	192.168.2.5	104.21.112.1
Jan 13, 2025 13:05:32.306592941 CET	49788	443	192.168.2.5	104.21.112.1
Jan 13, 2025 13:05:32.306618929 CET	443	49788	104.21.112.1	192.168.2.5
Jan 13, 2025 13:05:32.307723999 CET	443	49788	104.21.112.1	192.168.2.5
Jan 13, 2025 13:05:32.359302998 CET	49788	443	192.168.2.5	104.21.112.1
Jan 13, 2025 13:05:32.502885103 CET	49788	443	192.168.2.5	104.21.112.1
Jan 13, 2025 13:05:32.532119989 CET	80	49728	158.101.44.242	192.168.2.5
Jan 13, 2025 13:05:32.543335915 CET	443	49788	104.21.112.1	192.168.2.5
Jan 13, 2025 13:05:32.578044891 CET	49728	80	192.168.2.5	158.101.44.242
Jan 13, 2025 13:05:32.779160976 CET	49795	443	192.168.2.5	104.21.112.1
Jan 13, 2025 13:05:32.779201984 CET	443	49795	104.21.112.1	192.168.2.5
Jan 13, 2025 13:05:32.779259920 CET	49795	443	192.168.2.5	104.21.112.1
Jan 13, 2025 13:05:32.789319992 CET	49795	443	192.168.2.5	104.21.112.1
Jan 13, 2025 13:05:32.789334059 CET	443	49795	104.21.112.1	192.168.2.5
Jan 13, 2025 13:05:33.010293961 CET	443	49788	104.21.112.1	192.168.2.5
Jan 13, 2025 13:05:33.010361910 CET	443	49788	104.21.112.1	192.168.2.5
Jan 13, 2025 13:05:33.010442972 CET	49788	443	192.168.2.5	104.21.112.1
Jan 13, 2025 13:05:33.017174959 CET	49788	443	192.168.2.5	104.21.112.1
Jan 13, 2025 13:05:33.253674984 CET	443	49795	104.21.112.1	192.168.2.5
Jan 13, 2025 13:05:33.253798962 CET	49795	443	192.168.2.5	104.21.112.1
Jan 13, 2025 13:05:33.256143093 CET	49795	443	192.168.2.5	104.21.112.1
Jan 13, 2025 13:05:33.256156921 CET	443	49795	104.21.112.1	192.168.2.5
Jan 13, 2025 13:05:33.256525040 CET	443	49795	104.21.112.1	192.168.2.5
Jan 13, 2025 13:05:33.296782017 CET	49795	443	192.168.2.5	104.21.112.1
Jan 13, 2025 13:05:33.335330009 CET	49795	443	192.168.2.5	104.21.112.1
Jan 13, 2025 13:05:33.379328012 CET	443	49795	104.21.112.1	192.168.2.5
Jan 13, 2025 13:05:33.856905937 CET	443	49795	104.21.112.1	192.168.2.5
Jan 13, 2025 13:05:33.856971025 CET	443	49795	104.21.112.1	192.168.2.5
Jan 13, 2025 13:05:33.857135057 CET	49795	443	192.168.2.5	104.21.112.1
Jan 13, 2025 13:05:33.860179901 CET	49795	443	192.168.2.5	104.21.112.1
Jan 13, 2025 13:06:36.487404108 CET	80	49725	158.101.44.242	192.168.2.5
Jan 13, 2025 13:06:36.487541914 CET	49725	80	192.168.2.5	158.101.44.242
Jan 13, 2025 13:06:37.480067968 CET	80	49728	158.101.44.242	192.168.2.5
Jan 13, 2025 13:06:37.480253935 CET	49728	80	192.168.2.5	158.101.44.242
Jan 13, 2025 13:07:11.549498081 CET	49725	80	192.168.2.5	158.101.44.242
Jan 13, 2025 13:07:11.554419994 CET	80	49725	158.101.44.242	192.168.2.5
Jan 13, 2025 13:07:12.547647953 CET	49728	80	192.168.2.5	158.101.44.242
Jan 13, 2025 13:07:12.552439928 CET	80	49728	158.101.44.242	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 13:05:18.241767883 CET	55443	53	192.168.2.5	1.1.1.1
Jan 13, 2025 13:05:18.248740911 CET	53	55443	1.1.1.1	192.168.2.5
Jan 13, 2025 13:05:31.579554081 CET	63798	53	192.168.2.5	1.1.1.1
Jan 13, 2025 13:05:31.587409019 CET	53	63798	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 13, 2025 13:05:18.241767883 CET	192.168.2.5	1.1.1.1	0xb131	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:05:31.579554081 CET	192.168.2.5	1.1.1.1	0xda8f	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 13, 2025 13:05:14.452665091 CET	1.1.1.1	192.168.2.5	0xc911	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 13:05:14.452665091 CET	1.1.1.1	192.168.2.5	0xc911	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:05:18.248740911 CET	1.1.1.1	192.168.2.5	0xb131	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 13:05:18.248740911 CET	1.1.1.1	192.168.2.5	0xb131	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:05:18.248740911 CET	1.1.1.1	192.168.2.5	0xb131	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:05:18.248740911 CET	1.1.1.1	192.168.2.5	0xb131	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:05:18.248740911 CET	1.1.1.1	192.168.2.5	0xb131	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:05:18.248740911 CET	1.1.1.1	192.168.2.5	0xb131	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:05:31.587409019 CET	1.1.1.1	192.168.2.5	0xda8f	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:05:31.587409019 CET	1.1.1.1	192.168.2.5	0xda8f	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:05:31.587409019 CET	1.1.1.1	192.168.2.5	0xda8f	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:05:31.587409019 CET	1.1.1.1	192.168.2.5	0xda8f	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:05:31.587409019 CET	1.1.1.1	192.168.2.5	0xda8f	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:05:31.587409019 CET	1.1.1.1	192.168.2.5	0xda8f	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:05:31.587409019 CET	1.1.1.1	192.168.2.5	0xda8f	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49725	158.101.44.242	80	5376	C:\Users\user\Desktop\SOA.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:05:18.263823986 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 13:05:26.362152100 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:05:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f69dd71191ba2e4604b10d3fe36157c5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 13, 2025 13:05:26.678204060 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 13:05:31.539174080 CET	745	IN	HTTP/1.1 504 Gateway Time-out Date: Mon, 13 Jan 2025 12:05:31 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive X-Request-ID: 5e3b60ce5db38bf59372a5bf0e1d8b93 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49728	158.101.44.242	80	1812	C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:05:20.984225035 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 13:05:28.036020041 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:05:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 86d276be636c43b066039a710bbf0eaa Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 13, 2025 13:05:28.040086031 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 13:05:32.532119989 CET	745	IN	HTTP/1.1 504 Gateway Time-out Date: Mon, 13 Jan 2025 12:05:32 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive X-Request-ID: ea2c3eea709a21158549adf9d88efef6 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49788	104.21.112.1	443	5376	C:\Users\user\Desktop\SOA.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 12:05:32 UTC	73	OUT	GET /xml/ HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 12:05:33 UTC	768	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:05:32 GMT Content-Type: text/xml Content-Length: 362 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vwmIi2Mxamunc1Rk%2F0FyBpLEFctYsmURuZKj2x207eBGw6bUgAyZHNWBNyz6W4Hf2zIqQgnge145zHT5gv6FOB%2FbEvH01ugV2S%2FOrvdduEGnq71ZxcscMi%2FIuxbWaGw2jC2ghdAy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9015414e7c970f5b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1607&min_rtt=1600&rtt_var=614&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=687&delivery_rate=1763285&cwnd=221&unsent_bytes=0&cid=a0f333c7138a3c0c&ts=882&x=0"
2025-01-13 12:05:33 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49795	104.21.112.1	443	1812	C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 12:05:33 UTC	73	OUT	GET /xml/ HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 12:05:33 UTC	768	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:05:33 GMT Content-Type: text/xml Content-Length: 362 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ktYJvAPVUiCkgjzIZkbyzdwKo2ZXmabK%2FZ2InB%2Bk0REERr%2Fj66nx8hkpwB3VLGNlCLNMbuIOPCNrWj4NBfFXXW1ArbF7GzbOIe2HQoezdV8H99xDIb01wUTutnZtzh%2Bod5IHVy0U"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90154153af3c424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1534&min_rtt=1526&rtt_var=589&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=687&delivery_rate=1831869&cwnd=249&unsent_bytes=0&cid=195ee8e80eef4daa&ts=606&x=0"
2025-01-13 12:05:33 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	07:05:15
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\SOA.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SOA.scr.exe"
Imagebase:	0xab0000
File size:	617'992 bytes
MD5 hash:	10E27194BBD1FE9C32B2A47539357723
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2217258111.00000000058D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.2214369600.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2214369600.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2214369600.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2214369600.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.2214369600.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2214369600.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2214369600.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2214369600.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2212788552.0000000002F76000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:05:16
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe"
Imagebase:	0x100000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:05:16
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:05:16
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVjuqWQWhLhEQl" /XML "C:\Users\user\AppData\Local\Temp\tmp2349.tmp"
Imagebase:	0x160000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:05:16
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:05:16
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\SOA.scr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SOA.scr.exe"
Imagebase:	0x110000
File size:	617'992 bytes
MD5 hash:	10E27194BBD1FE9C32B2A47539357723
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:05:16
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\SOA.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SOA.scr.exe"
Imagebase:	0xd90000
File size:	617'992 bytes
MD5 hash:	10E27194BBD1FE9C32B2A47539357723
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000008.00000002.3442078497.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.3442078497.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.3444644839.0000000003237000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	07:05:17
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe
Imagebase:	0xbc0000
File size:	617'992 bytes
MD5 hash:	10E27194BBD1FE9C32B2A47539357723
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.2240442640.0000000003156000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 37%, ReversingLabs Detection: 29%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:05:18
Start date:	13/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:05:19
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVjuqWQWhLhEQl" /XML "C:\Users\user\AppData\Local\Temp\tmp2E55.tmp"
Imagebase:	0x160000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:05:19
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	07:05:19
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe"
Imagebase:	0x730000
File size:	617'992 bytes
MD5 hash:	10E27194BBD1FE9C32B2A47539357723
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.3445148159.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	7.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	29
Total number of Limit Nodes:	4

Executed Functions

Function 015079D9 Relevance: .2, Instructions: 245
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2211860649.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1500000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fa0392a3b28e02d8c3713f0ee0f56e387aba1af7e7c2517a8592123b1a8d904
Instruction ID: 735f16b638fbbfb34ba6400f2cdbf12f79cdc3808153a4ce7df91d004c0431b2
Opcode Fuzzy Hash: 4fa0392a3b28e02d8c3713f0ee0f56e387aba1af7e7c2517a8592123b1a8d904
Instruction Fuzzy Hash: D1B1C574E412198FDB09DFA9D8859EEBBF2FF8D300F148469D818AB364DB31A941CB50

Function 01504204 Relevance: .2, Instructions: 241
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2211860649.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1500000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b270d8231a0b8131f3d1ba2eadf0644a224de395b235a33761a781cabd8f6025
Instruction ID: 8efa6aef36eb03622528edf21a5056fb2b542095decb87a20dd74fa948fbd942
Opcode Fuzzy Hash: b270d8231a0b8131f3d1ba2eadf0644a224de395b235a33761a781cabd8f6025
Instruction Fuzzy Hash: 37A1B574E41219CFDB09DFA9D8849AEBBF2FF8D300F149469D819AB364DB30A941CB50

Function 0150DDC0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0150DE3E
GetCurrentThread.KERNEL32 ref: 0150DE7B
GetCurrentProcess.KERNEL32 ref: 0150DEB8
GetCurrentThreadId.KERNEL32 ref: 0150DF11

Memory Dump Source

Source File: 00000000.00000002.2211860649.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1500000_SOA.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a32eb6aa79e85bfb6b91668330c3e62dba3a8f62286524edd5e01edfe7b4f3a9
Instruction ID: 930ed4b28e6bd6e70978f647ef065acc46edbedf4111a8b692012e05f4c32308
Opcode Fuzzy Hash: a32eb6aa79e85bfb6b91668330c3e62dba3a8f62286524edd5e01edfe7b4f3a9
Instruction Fuzzy Hash: 005155B09002098FDB14DFAAD548BAEBFF1FF88314F208459E519A73A0D7789984CF65

Function 0150590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015059C9

Memory Dump Source

Source File: 00000000.00000002.2211860649.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1500000_SOA.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 551764da2a417634291341992dd8102019cc609b076c86e706e0ef833af5a579
Instruction ID: f8d5ce587d15db42bbc7f20df6ed1f144db00ca464d2a37aacc8a462693c5375
Opcode Fuzzy Hash: 551764da2a417634291341992dd8102019cc609b076c86e706e0ef833af5a579
Instruction Fuzzy Hash: 2241E2B0C00719CBDB25DFA9C884BDDBBF5BF49304F20806AD419AB255DB75594ACF90

Function 01504514 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015059C9

Memory Dump Source

Source File: 00000000.00000002.2211860649.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1500000_SOA.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9aa2bdaf60830fb6a463fec3c5e531ccf96c81d0921cf9872b13dd91f1fffe70
Instruction ID: 8fac0d432bf30e416cb6f119a9b87c2a0ecb75c56b68725c2ef670f7ef361558
Opcode Fuzzy Hash: 9aa2bdaf60830fb6a463fec3c5e531ccf96c81d0921cf9872b13dd91f1fffe70
Instruction Fuzzy Hash: ED4104B0C1071DCBDB25DFA9C844B9DBBF5BF49304F20846AD418AB251DBB59945CF90

Function 0150E008 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0150E08F

Memory Dump Source

Source File: 00000000.00000002.2211860649.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1500000_SOA.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5d2ea188b727375d30cc9c9d852da43fc4bcd38a69d2c965f2236e12d0d43b1f
Instruction ID: 63995dc8d1c197a7c722660899198d5450428eacec912ffe488036c422ca399d
Opcode Fuzzy Hash: 5d2ea188b727375d30cc9c9d852da43fc4bcd38a69d2c965f2236e12d0d43b1f
Instruction Fuzzy Hash: B621F3B59002489FDB10CFAAD985ADEFFF8FB48310F14841AE918A7350D378A940CFA5

Function 0150BD20 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0150BD86

Memory Dump Source

Source File: 00000000.00000002.2211860649.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1500000_SOA.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1d366c7ed3a9f80b3a50494650b17fc6d1e1517e959c2b2f6ab08c62c85ef679
Instruction ID: 27300eb12890344ea05ef26fdd160d72e2897cee4b6ee913faddba4c82c59859
Opcode Fuzzy Hash: 1d366c7ed3a9f80b3a50494650b17fc6d1e1517e959c2b2f6ab08c62c85ef679
Instruction Fuzzy Hash: 5511DFB6C002498FDB20DF9AC444B9EFBF4EF89214F14842AD519A7650C379A545CFA6

Function 0131D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2211414423.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_131d000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e0bd50745a063a39dc34c4b34fc6f163462f824fbf132a22a5125d8cf48d6a9
Instruction ID: ce128497aa0f94030b9fe0f9df0e36d0277169303eed3b1d949c8767585158a5
Opcode Fuzzy Hash: 0e0bd50745a063a39dc34c4b34fc6f163462f824fbf132a22a5125d8cf48d6a9
Instruction Fuzzy Hash: E3216D71140204DFDB09DF54D5C4F56BF69FB89318F20C56DD9091B25ACB3AE406C7A1

Function 0131D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2211414423.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_131d000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa5648877da7a372822be1b2fe60767343e98d1cc1d2270a1ce41aaa9143a595
Instruction ID: 73c739284624a39ef76508e6fa4a1c8a5e0131e8c39d4e6446084833449d33df
Opcode Fuzzy Hash: fa5648877da7a372822be1b2fe60767343e98d1cc1d2270a1ce41aaa9143a595
Instruction Fuzzy Hash: 85210371500244DFDB19DF58D9C8F26BF69FB8931CF20C569E9090B25AC33AD416CAA2

Function 0132D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2211478312.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_132d000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6210e7ce7921ca0c8118c0670e51a562f4298b248f94ba6630862ec391d964d
Instruction ID: cac67b92dcfd968e225f97e1489056c75bac63c043a3e58768039cf5a46608cf
Opcode Fuzzy Hash: e6210e7ce7921ca0c8118c0670e51a562f4298b248f94ba6630862ec391d964d
Instruction Fuzzy Hash: 74210471504304EFDB05EFA8D9C0F26BBA9FB89328F20C56DE9094B356C33AD406CA61

Function 0132D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2211478312.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_132d000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a768fbe7e232b835bc483bfcb3bcc10b37c8d3db746631870be5cba7cee107e
Instruction ID: 745e7e6cda2c55b302906a02fa23f87b42f27221e99c22abffe7b9aeb920d69e
Opcode Fuzzy Hash: 5a768fbe7e232b835bc483bfcb3bcc10b37c8d3db746631870be5cba7cee107e
Instruction Fuzzy Hash: A2212571504244DFCB15EF68D980B16BF65FB84318F20C56DD90A0B366C33ED407CAA1

Function 0132D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2211478312.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_132d000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7140314511e2d230085ad081613997d7663ae01684f691b77f3269347ebecf2a
Instruction ID: c4b07fd75b1f1f06f98f97c859e4ec2a7f678133bfee20f961baf5835b1a4629
Opcode Fuzzy Hash: 7140314511e2d230085ad081613997d7663ae01684f691b77f3269347ebecf2a
Instruction Fuzzy Hash: F12180755083809FCB03DF64D994711BF71EB46218F28C5DAD8898F2A7C33A981ACB62

Function 0131D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2211414423.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_131d000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 85a8e014354435e5e0828a24bdd125b76e5a7fc1e4a6368c51d9aa0a6b30afc9
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: AF110372404280CFCB06CF54D5C4B16BF71FB88318F24C6A9D9490B25BC336D45ACBA2

Function 0131D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2211414423.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_131d000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 29365ea609eea1e50e71bf41739a1ece89c714e8f4cebdee2ca90ed57a1de9f0
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 40112672444240CFDB16CF44D5C4B56BF71FB89324F24C6A9D9090B25BC73AE45ACBA2

Function 0132D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2211478312.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_132d000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 93138cc410b9417f55dd973bdd5a714c0088659d186a2f69778c1e3e09a0267f
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 0411BB75504380DFDB02DF54D5C4B15BFB1FB85228F24C6A9D8494B296C33AD40ACB62

Function 0131D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2211414423.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_131d000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0ecf615820642af8933aaf759180bdd4ea1ffbf8ac61e3f4766af1fc431ecee
Instruction ID: 4b791d05dbb930e57bec7f2e53788d723803c942bc34cf4ff1f1cfdb421cde91
Opcode Fuzzy Hash: f0ecf615820642af8933aaf759180bdd4ea1ffbf8ac61e3f4766af1fc431ecee
Instruction Fuzzy Hash: 2D01DB710043849AE7249F99CD8CB67FF9CEF47328F18C52AED090A68AD2799841CA75

Function 0131D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2211414423.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_131d000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09320c0acef7962e02bd1a894fa99ef53a2dd1b485b7466a2080a496a44941fa
Instruction ID: 6c9987256c627f58a96e0432efda4f7ee78164699d26c807ee5783f57a1c3366
Opcode Fuzzy Hash: 09320c0acef7962e02bd1a894fa99ef53a2dd1b485b7466a2080a496a44941fa
Instruction Fuzzy Hash: 5CF096714043849EE7259F1ACC88B67FFD8EF46734F18C45AED484B28AC2799844CBB5

Analysis Process: SOA.scr.exePID: 5376, Parent PID: 4280COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	2

Executed Functions

Function 014219B8 Relevance: 8.5, Strings: 6, Instructions: 994
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xaq, xrefs: 01422C95
Xaq, xrefs: 01421A76
Xaq, xrefs: 01421B7C
Xaq, xrefs: 01422CBE
Xaq, xrefs: 01421B2F
Xaq, xrefs: 01421AB0

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq$Xaq$Xaq
API String ID: 0-499371476
Opcode ID: 9b86536a1fc56b039439f252fda5abc15475bccbc36e35455b58a8d2d13c7daa
Instruction ID: ca7ba31eaae1b830d19b56cd47884218f6beb824e2a2817eaa3b93207801f102
Opcode Fuzzy Hash: 9b86536a1fc56b039439f252fda5abc15475bccbc36e35455b58a8d2d13c7daa
Instruction Fuzzy Hash: 767256319983528BC7A5CF6484421A9FBF2FFD2230B2AD79EC0C646952D37D9C978B41

Function 01429E00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8eb1ef0cce78b96447790c19158d49c3c6bd5c4220ec7644c7c5d361f6b8d14
Instruction ID: 8c3ccb1f67916ebc8b5a62970d31d585b6ae69a18cc8edc07604db8465264d6b
Opcode Fuzzy Hash: e8eb1ef0cce78b96447790c19158d49c3c6bd5c4220ec7644c7c5d361f6b8d14
Instruction Fuzzy Hash: E8C19074E00218CFDB54DFA5D954B9DBBB2BF88301F2080AAD809AB365DB395D85CF11

Function 0142A3B0 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58cb586fe1b04bcf314fd874505ba65b33d17a7853d8936dbcde2851034d6224
Instruction ID: e6edf325a7d24f3508e0000681c2c5f5f4a8d65e6b0e790265acc1dd935ad9ef
Opcode Fuzzy Hash: 58cb586fe1b04bcf314fd874505ba65b33d17a7853d8936dbcde2851034d6224
Instruction Fuzzy Hash: 79A1F470D002188FDB14DFA9C584BDDBBB1FF88314F64826AE509AB3A1DB749985CF50

Function 0142A3C0 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aee5f726f580ed3411971da4485fd51b18c681acbfabfecd3d7ea99d802aba6
Instruction ID: 41282d2a8aca1db3430521ad2ac4d6d67666a89ccb9696d72a1f01bea583332a
Opcode Fuzzy Hash: 9aee5f726f580ed3411971da4485fd51b18c681acbfabfecd3d7ea99d802aba6
Instruction Fuzzy Hash: 2FA1F370D002188FEB14DFA9C548BDDBBB1FF88315F60826AE509AB2A1DB749985CF51

Function 0142A706 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d55518fadf2ff9b191c151625c50a388375321193ebb02a61d2cdd19f19b3e6
Instruction ID: 2dda5e2cb2a10379e87f8bea428c63f24ab6594ba59ba769218d50f36539717a
Opcode Fuzzy Hash: 6d55518fadf2ff9b191c151625c50a388375321193ebb02a61d2cdd19f19b3e6
Instruction Fuzzy Hash: 62910270D00218CFDB14DFA8C588BDDBBB1FF89311F60926AE409AB2A1DB749985CF14

Function 01429DEF Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a9b80d156ef8dfb5a980d2157b7010a6c357b7d3cb90731e83b157c4c0f753
Instruction ID: 5c7c006943339a7522dd7fd3e2fb85f87b17e4d44b50b92c3d5e1df5976b0382
Opcode Fuzzy Hash: 29a9b80d156ef8dfb5a980d2157b7010a6c357b7d3cb90731e83b157c4c0f753
Instruction Fuzzy Hash: E841F370E002588BDB18CFBAD85469EFBF2BF89304F64C12AD518AB365EB355946CF50

Function 01423F78 Relevance: 6.4, Strings: 5, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 014240E1
Lj@p, xrefs: 01424078
0o@p, xrefs: 01423FDA
PH]q, xrefs: 014240F2
Lj@p, xrefs: 01424088

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 7751b0f2ba67e75cc2877033a6e21926b7a79dd0b2e7bcb805509d426f200297
Instruction ID: b605dd66e88a0cebff2b931324840734b05567bc0c54897f8fbb4026eaa6a957
Opcode Fuzzy Hash: 7751b0f2ba67e75cc2877033a6e21926b7a79dd0b2e7bcb805509d426f200297
Instruction Fuzzy Hash: 1151B474E00218DFDB48DFAAD59499DBBF2FF89310F54846AE815AB364DB34A881CF50

Function 05CCA140 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 05CCA1CE
GetCurrentThread.KERNEL32 ref: 05CCA20B
GetCurrentProcess.KERNEL32 ref: 05CCA248
GetCurrentThreadId.KERNEL32 ref: 05CCA2A1

Memory Dump Source

Source File: 00000008.00000002.3448993418.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5cc0000_SOA.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a3158c99d472038f7fafb9bfdcf5e9ce9073ee6757bd5b7e0f5194f024fb1f1e
Instruction ID: 336bed963c089009f87ca1b45c82f140d4dc467e47a8530e68e4c3c404b19e1f
Opcode Fuzzy Hash: a3158c99d472038f7fafb9bfdcf5e9ce9073ee6757bd5b7e0f5194f024fb1f1e
Instruction Fuzzy Hash: CC5135B09003098FDB18DFA9D948B9EBFF1FF48314F208459E40AA7360D779A984CB65

Function 05CCA150 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 05CCA1CE
GetCurrentThread.KERNEL32 ref: 05CCA20B
GetCurrentProcess.KERNEL32 ref: 05CCA248
GetCurrentThreadId.KERNEL32 ref: 05CCA2A1

Memory Dump Source

Source File: 00000008.00000002.3448993418.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5cc0000_SOA.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 7b21f3fab04abaebdb8cc5d1fecd15b7bfc7a3296c81e41ef47cc67a350cce47
Instruction ID: 29ef9df7169e1618369ff430fe02d16481e2ae72eb091cae13315d8c481d5afa
Opcode Fuzzy Hash: 7b21f3fab04abaebdb8cc5d1fecd15b7bfc7a3296c81e41ef47cc67a350cce47
Instruction Fuzzy Hash: 3B5136B09002498FDB18DFA9D948B9EBFF1FF48314F208459E41AA7360D779A984CB65

Function 0142B2C0 Relevance: 5.3, Strings: 4, Instructions: 309
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 0142B51B
Haq, xrefs: 0142B54E
, xrefs: 0142B3AD
Haq, xrefs: 0142B581

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID: $Haq$Haq$Haq
API String ID: 0-432640594
Opcode ID: b1f980f8e2fa3b8a0f2ba80233b81c32ec259bf2bfc2b5d4f739ae25f3942b86
Instruction ID: 20780d3d05bf5a6bc283ef535e2620b80aeeac28e57c391cbb7209a7d1bed629
Opcode Fuzzy Hash: b1f980f8e2fa3b8a0f2ba80233b81c32ec259bf2bfc2b5d4f739ae25f3942b86
Instruction Fuzzy Hash: DBB1A0307042548FCB699F7C989816E3FA2FF85320B54466AE926CB3E1CE349C85CB52

Function 0142B2BE Relevance: 5.2, Strings: 4, Instructions: 239
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 0142B51B
, xrefs: 0142B35D
Haq, xrefs: 0142B54E
Haq, xrefs: 0142B581

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID: $Haq$Haq$Haq
API String ID: 0-432640594
Opcode ID: 0a5259f9d4d5e51185d24e6f41fde053e0d38f8268342328c0d9ba7358a67a4b
Instruction ID: 475cb1a8da8736ae83c55a6ae07b30d13f033516de92598191e077baf8226c88
Opcode Fuzzy Hash: 0a5259f9d4d5e51185d24e6f41fde053e0d38f8268342328c0d9ba7358a67a4b
Instruction Fuzzy Hash: 9281C230B002248FCB699F7C949816E3BA2FF89320B54456BE916DB3A1DE34DC41CB91

Function 0142BAD8 Relevance: 2.7, Strings: 2, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TJbq, xrefs: 0142BCC2
8bq, xrefs: 0142BC89

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID: 8bq$TJbq
API String ID: 0-3440557903
Opcode ID: 7bb592a7cf16e9cef9f4fcf0cc90e8bcc12beb3a55018310d664bddb42118b63
Instruction ID: a11a77f42422b290b06f4c819a312ef3f1a8cfb2059536a5ba1a49dbcdf76186
Opcode Fuzzy Hash: 7bb592a7cf16e9cef9f4fcf0cc90e8bcc12beb3a55018310d664bddb42118b63
Instruction Fuzzy Hash: 4A512935B001188FCB05DB68D594EDEBBB6EF88320F19405AE505AB3A5CA71EC85CBA1

Function 0142D82B Relevance: 2.6, Strings: 2, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0142D90F
$]q, xrefs: 0142D8EC

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 62c781b5266803d583cfe03bfa632d6873b398e25d65aa4e4fcc4a797a67518d
Instruction ID: fc0167d0a4457faf5b67ab51efa7384fe275aa50a9cdcd4a81af2c8d7ef0fe13
Opcode Fuzzy Hash: 62c781b5266803d583cfe03bfa632d6873b398e25d65aa4e4fcc4a797a67518d
Instruction Fuzzy Hash: 5741B134B002258FDB259FA8D898B6E7BAAFF84710F540456E116DB3B2DB75DC80CB50

Function 0142BBB1 Relevance: 2.6, Strings: 2, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TJbq, xrefs: 0142BCC2
8bq, xrefs: 0142BC89

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID: 8bq$TJbq
API String ID: 0-3440557903
Opcode ID: 13d0426e62a2d231afaa542473f1b0c6b0c0c03451294b7718910084e076f3ba
Instruction ID: 6a12356d0b9fbbf997eaf89aa7737923c321f70d214d83208a683e4fe7e8cf2a
Opcode Fuzzy Hash: 13d0426e62a2d231afaa542473f1b0c6b0c0c03451294b7718910084e076f3ba
Instruction Fuzzy Hash: A2313534B401198FCB45DFA8C580E9EBBB6FF88320F595455E501AB3B5CA30EC86CB91

Function 0142BBE5 Relevance: 2.6, Strings: 2, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TJbq, xrefs: 0142BCC2
8bq, xrefs: 0142BC89

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID: 8bq$TJbq
API String ID: 0-3440557903
Opcode ID: a11d61b6c1be0e1f8e3531bce3b9c7a72428e77d5dc72b98e51b3f035b3daca5
Instruction ID: f44600a3d115c341c188743e8249d4f4c95caf4526daf964b8562cca422bc292
Opcode Fuzzy Hash: a11d61b6c1be0e1f8e3531bce3b9c7a72428e77d5dc72b98e51b3f035b3daca5
Instruction Fuzzy Hash: C8313330B401198FCB45DFA8C580E9EBBB6EF88320F595455E505AB3B6CA70EC86CB91

Function 05CCA393 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05CCA41F

Memory Dump Source

Source File: 00000008.00000002.3448993418.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5cc0000_SOA.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f620b933814b3148fb3ace3be10a885d360b4e74ec1dcc3d1229b6ba7feea6f6
Instruction ID: 6faef1423742f055aba320fbffe5d67c10fb1a0dd6c263b9ec6f83099de27027
Opcode Fuzzy Hash: f620b933814b3148fb3ace3be10a885d360b4e74ec1dcc3d1229b6ba7feea6f6
Instruction Fuzzy Hash: 1021E4B59002489FDB10CF9AD984ADEBFF8FB48310F14845AE918A3350D378A944CFA5

Function 05CCA398 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05CCA41F

Memory Dump Source

Source File: 00000008.00000002.3448993418.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5cc0000_SOA.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 310f8f377a86b657257a2906b1955af8c756847946cc90c5d85c36e0c0411949
Instruction ID: b5e9a2614eed0fcd8d4701f8304e93ce00c4bffce92d736413e1ae47ae689925
Opcode Fuzzy Hash: 310f8f377a86b657257a2906b1955af8c756847946cc90c5d85c36e0c0411949
Instruction Fuzzy Hash: 2621C4B59002499FDB10CF9AD984ADEBFF9FB48310F14845AE918A3350D378A944CFA5

Function 01420B20 Relevance: 1.5, Strings: 1, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR]q, xrefs: 01420B62

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: a9d9d562eba01efc42b2844693468f6580037906f965ad7c021a67be5c293245
Instruction ID: ff3fab9288ec33c18342eacd1fbbd87be974593145b5a45782e42e1dd5220bf0
Opcode Fuzzy Hash: a9d9d562eba01efc42b2844693468f6580037906f965ad7c021a67be5c293245
Instruction Fuzzy Hash: 4BA10C74A0020ACFCB04EFB9E99499DBBB9FF48704B104579E415AB365DB38AD15CF81

Function 01420B30 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

LR]q, xrefs: 01420B62

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 762f6faccf0d14bd8bd5907b0f2942bb65c3fe3a348c1cec7415ae2fd002368c
Instruction ID: a31c6fef686f7aec75df8c68a1a783656c75f64de591db53ef56681ed5864b91
Opcode Fuzzy Hash: 762f6faccf0d14bd8bd5907b0f2942bb65c3fe3a348c1cec7415ae2fd002368c
Instruction Fuzzy Hash: 39A1FB74A0020ACFCB04EFB9E98499DBBB9FF48704B104579E415AB369DB78AD15CF81

Function 0142BFF0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

Haq, xrefs: 0142C085

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: 7cec7c87043bcadbae5c79b20bc310ef12a81b8c0ac061b421bb1ffc21f86754
Instruction ID: f596b343144e4f4373aa6b0ace41993bccb3cc49709be67ace406db3e829a28d
Opcode Fuzzy Hash: 7cec7c87043bcadbae5c79b20bc310ef12a81b8c0ac061b421bb1ffc21f86754
Instruction Fuzzy Hash: F531C2317002199FC704EFB9D8516AF7BAAEF99201B5440BAE509CB361DE30DD42C791

Function 0142C888 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

4']q, xrefs: 0142C903

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: a8025e1dbe7e99aec9bdc9a87df0679e1ab3201a0f6e9b6839a6afc5ea961b3e
Instruction ID: 5454d60b829e28ade95793dff25b1c6f02601c38636deb271f164cec67d47a07
Opcode Fuzzy Hash: a8025e1dbe7e99aec9bdc9a87df0679e1ab3201a0f6e9b6839a6afc5ea961b3e
Instruction Fuzzy Hash: 634126747001299FCB15DF29C888AAE7BB5BF89351F51406AF9168B3B1CB71DD81CB90

Function 0142CBBB Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

4']q, xrefs: 0142CC3A

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 3e659bbc69218db18fb8b851a9e4ba18bf9f883783b2a804b2045b3c64a1e7ef
Instruction ID: dbb956d3128d30324305b499af14f017bd5c19c3ae3eeb82effd6070e0d5fe0a
Opcode Fuzzy Hash: 3e659bbc69218db18fb8b851a9e4ba18bf9f883783b2a804b2045b3c64a1e7ef
Instruction Fuzzy Hash: F2219E313041698BE715CE2B98C067F7FEAEB89200B49442BE516C7364DA75CCC1C7A0

Function 0142C140 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

Haq, xrefs: 0142C18E

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: e21fe4d90199537d3e044f6c4bfc7356046ac2862b60e6f13de08417950305c6
Instruction ID: be237c3fe6bedb117c19753ef29285fa22a3f119992d95275700e0eeabee21b3
Opcode Fuzzy Hash: e21fe4d90199537d3e044f6c4bfc7356046ac2862b60e6f13de08417950305c6
Instruction Fuzzy Hash: 6121E134704245DFC708DF69C895A2E7FB6FF89340FA480AAD9068B762CE319D46CB90

Function 01424E6D Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4cadf549d6133e2639e1b0911a8c7be4223eb07956d689564ce283a8bf000a7
Instruction ID: 3e32ad541b041699ae73db5e59591172bd496a9b75710c14bc87a6aeabb3eccb
Opcode Fuzzy Hash: c4cadf549d6133e2639e1b0911a8c7be4223eb07956d689564ce283a8bf000a7
Instruction Fuzzy Hash: 95F0FE71419382CFC3222B74A8EC26A7F78EF0B323F442C82E25AC606BEB344444CB15

Function 0142DC18 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2be0e604ab8cbe43b9435fa9d361290535082b3f2edd79901e7e4f4a21151ed
Instruction ID: 2c3de360d7bfe24f9710d1fe4fc8ef25a737c6c675c8343f181238b704769f7f
Opcode Fuzzy Hash: f2be0e604ab8cbe43b9435fa9d361290535082b3f2edd79901e7e4f4a21151ed
Instruction Fuzzy Hash: BBA1B575E006288FCB05CF99D9849ADBBF6FF58320B5A845AE505AB372C731EC81CB54

Function 0142C2D8 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0fe1288bbd7a64ad3710b8089d69473a35997b6123e48037328e7930853115b
Instruction ID: b52d427e4830352e169fa67df497ca34d056e110e7c0ae6702f4d679ff1393dd
Opcode Fuzzy Hash: a0fe1288bbd7a64ad3710b8089d69473a35997b6123e48037328e7930853115b
Instruction Fuzzy Hash: 7961E372B002159FCB149A6DD8809AFBBBAFFC8320B54893BE519D7361DA31D941C7A0

Function 0142DC13 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed5bb01f67e33039869b8268ab473a01c90d8795bf7462efd8b4e9b928142c8
Instruction ID: 21f30ed35e272028639deb0aa558f5a43536fd6faaac209c8c1c56e697c467d6
Opcode Fuzzy Hash: fed5bb01f67e33039869b8268ab473a01c90d8795bf7462efd8b4e9b928142c8
Instruction Fuzzy Hash: 9691B275E006288FCB05CF99D9889ADBBF6FF58320B5A805AE515AB371C731EC81CB54

Function 01429B9F Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e620327aff1be04c8dac1fca6685615c033cfed29b998b1a6baa43d1de2269
Instruction ID: f816da9ec7c91100a6f3176f42d12766d1cb73f33fbed9285910d86e965f290e
Opcode Fuzzy Hash: 72e620327aff1be04c8dac1fca6685615c033cfed29b998b1a6baa43d1de2269
Instruction Fuzzy Hash: 2A3124764362178FC6092B28E5AF26A7F64FF0B337B446C42F15AC9A25DF34408CAA50

Function 01423158 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a377e8949ff4f4213dabfea568b983048b046757aad71ba5fe64378855d83cfb
Instruction ID: fdf4f04c04cd0d049257e3c3d7aa4ba22b8be9d21badc963c03c71f7868003b6
Opcode Fuzzy Hash: a377e8949ff4f4213dabfea568b983048b046757aad71ba5fe64378855d83cfb
Instruction Fuzzy Hash: 3941B3B4E01218DFCB18DFAAD49499DBBB2BF89300F64902AE405BB364DB349945CF14

Function 01423168 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 368d13bcf150f9feb307fe4fb4d9b6e3810dac47f1b2680e1aba80eff8bc0c45
Instruction ID: 658962afe03db338cbd7383e3cb1903c2a4493c1ddae99451097431c42e292ad
Opcode Fuzzy Hash: 368d13bcf150f9feb307fe4fb4d9b6e3810dac47f1b2680e1aba80eff8bc0c45
Instruction Fuzzy Hash: E141A2B4E01218DFCB18DFAAD48499DBBF2BF89300F64942AE405BB364DB34A945CF14

Function 0142D950 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 078ead6cd44015fb24e943892a766716af5bfa198e3195a4aa27848e68803d0e
Instruction ID: 7b20ffb3ef41314e4b9ecfbcdd7b5d1d7ca0c895ef19625e0aedc347c0b85855
Opcode Fuzzy Hash: 078ead6cd44015fb24e943892a766716af5bfa198e3195a4aa27848e68803d0e
Instruction Fuzzy Hash: B4319F35B002149FCB14AFA9D858AAE7FB6BFCC710F54406AE906D73A1CE319D01CB94

Function 0142DB03 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48ceef28d34cc5284ecaa9a64f2fe76f32529c5bb30970d099e00b0bc6e64c4f
Instruction ID: e8af4bbe98a7e8c8603b5a642c0d4e50959a9b481df55b97b65778ef132e25dd
Opcode Fuzzy Hash: 48ceef28d34cc5284ecaa9a64f2fe76f32529c5bb30970d099e00b0bc6e64c4f
Instruction Fuzzy Hash: EB314F70E005198FCB08DFADC8949AEBBB6FF89710B558559E5159B3B1CB30EC82CB94

Function 0142CCA9 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952806c386be898bc3dc14ffe47a9fbc78cda5d2f2b5d48e1bf6d1b3c7546580
Instruction ID: 085acd461ce0da163d2edd4a7dacc44378ed4f261290a5197f9043490f91e492
Opcode Fuzzy Hash: 952806c386be898bc3dc14ffe47a9fbc78cda5d2f2b5d48e1bf6d1b3c7546580
Instruction Fuzzy Hash: 0021B3313602214BDB2A262DC8D463F7A97AFC5614B94407AD506CB3B6EE39C8839791

Function 0142CCB8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ed470d0d9286d06fd38b9c1c3e7a3de5666e5267f225ff893fbc1e150e53f0
Instruction ID: 81806dd4a55b05360462cf1e7e22cdc930fdf378e870001adaae3091f5b8c865
Opcode Fuzzy Hash: 52ed470d0d9286d06fd38b9c1c3e7a3de5666e5267f225ff893fbc1e150e53f0
Instruction Fuzzy Hash: 2621B0313602214BDB26262DC8D463F7A97AFC5614F94407AD506CB3B5EF7ACC839791

Function 0142DEFB Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc4457f0d92aa4dedbd2608013e7f1bcec21b28c8ff2e996c95c52b25e2cf0f
Instruction ID: 8e9a49f6d5340d94ba82040f2792e2b557cadde87b34f163c9aa0a667d304ecc
Opcode Fuzzy Hash: 3dc4457f0d92aa4dedbd2608013e7f1bcec21b28c8ff2e996c95c52b25e2cf0f
Instruction Fuzzy Hash: 7321AF36B001218FD7149A6DD8A4E2AB7E6EFCC710B5A00BAEA05CB371DE70DC41CB94

Function 014218C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fde4b5b7bfc39f660c27ddfa844b8a9fd4eadd74911b88826e0ea2c484291813
Instruction ID: fb0aecad6e0f3757f2edb2fc239d7995a121d8bbca901360448c73f50cc15705
Opcode Fuzzy Hash: fde4b5b7bfc39f660c27ddfa844b8a9fd4eadd74911b88826e0ea2c484291813
Instruction Fuzzy Hash: D521C431B00115AFCB14CF68C4409AF37A5EB89654B54C05ED80EAB350EB34EE8BCBC2

Function 0142FDA8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0c1e62ab0798080198d206a763edfc037a9ac3d050bd6d35ddcd9f1dd34e9f
Instruction ID: 40ae80da882369e808c584b8ec6d16400f6ecfe7b7d8073549d2a38d659e9314
Opcode Fuzzy Hash: 0f0c1e62ab0798080198d206a763edfc037a9ac3d050bd6d35ddcd9f1dd34e9f
Instruction Fuzzy Hash: 5A215E727041159F9755DE6DE4808ABFBF9FBD9224354C12FE909C7342EA32D806CB60

Function 013BD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3442790931.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13bd000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be2420e3f8a9371eace63f5075f63f324d9c4d0c8536d5ba2b94bb7487b7919a
Instruction ID: bf8bc4a3fe37f822c770700c304898dd3d8790ac15347db1ea1d2a0303fb262a
Opcode Fuzzy Hash: be2420e3f8a9371eace63f5075f63f324d9c4d0c8536d5ba2b94bb7487b7919a
Instruction Fuzzy Hash: C5212271504204DFCB15DF98D9C0B26BBA9FB8431CF20C56DDA090BA56D33AD406CB62

Function 01420EC8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99842fec3c82a79b163e821183e341377c6dd8646a4220c2c428e377336bffd5
Instruction ID: e0524867605415b310a3190629ede8bc9f4b320a7a152ad0f8fe9e558c593661
Opcode Fuzzy Hash: 99842fec3c82a79b163e821183e341377c6dd8646a4220c2c428e377336bffd5
Instruction Fuzzy Hash: 64219034E402199FC704EFB9C4506AEBBB6FF84708F4084AAD415AB364DB788945CF41

Function 01429D32 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c632c4ab542ab6b84150861733e5e7e4255a8047b1c5d076e41c818b9dc869
Instruction ID: 90139dd97e58ef14c87f38986122dd7068e5e24f7f7a812195114da3fde043ac
Opcode Fuzzy Hash: c8c632c4ab542ab6b84150861733e5e7e4255a8047b1c5d076e41c818b9dc869
Instruction Fuzzy Hash: 6F219D70D1021ACFCB05DFB8D55869EBFB5FF02316F4089A6D019AB265DB358949DB80

Function 0142BEA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55bef4b90b96860f796cb835cf7228b05de56c978bd5cd2a6c51fcdb2850a46d
Instruction ID: c665afe39174771ede0d1ad5873d1e1af6bc19c24eb0f8e9c532257ae743ffef
Opcode Fuzzy Hash: 55bef4b90b96860f796cb835cf7228b05de56c978bd5cd2a6c51fcdb2850a46d
Instruction Fuzzy Hash: A4118C363002148FC718DB6DE594E16B7FAFF88721B51846AE20ACB771CA71EC45CB10

Function 014217B8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7336e066468b130a7e99632c4a3397ab3d8943f9fa418566510076eb29633f50
Instruction ID: 3822ea36e3bbbe6568baeec90f092a27abc8bd9704d63909104c3bf3d83c30e7
Opcode Fuzzy Hash: 7336e066468b130a7e99632c4a3397ab3d8943f9fa418566510076eb29633f50
Instruction Fuzzy Hash: 32211270C0421A8FCB04DFA8D8945EEBFF4BF4A304F0041AAD405B7265EB349A85CBA1

Function 0142D94B Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37b6a950f2a9ca03a12bdf418756869028e787430f399d5553f0bc7eeedc2524
Instruction ID: d2c066b5fbb3e6271bd5673dca419a5261fcf02df6653490a77b7ebd1049bd52
Opcode Fuzzy Hash: 37b6a950f2a9ca03a12bdf418756869028e787430f399d5553f0bc7eeedc2524
Instruction Fuzzy Hash: 38118E36B002089FCB149FA9DC44BDEBBB6EB8C310F145066E902A73A0CA31AC00CB90

Function 0142BE91 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 512349fdf475804b1c4295a524b0eb3a13a301e0f7ce36c5fbb7335d9d2bbb94
Instruction ID: 486fab9999132c9a77e5bb3ef1ef3f6ef5e717c8a3896fd10af7955cb2ca2ad8
Opcode Fuzzy Hash: 512349fdf475804b1c4295a524b0eb3a13a301e0f7ce36c5fbb7335d9d2bbb94
Instruction Fuzzy Hash: 30015B313402108FC7189A6DD594B1AB7E5FF88721F55846AE209CB771CA71DC45CA11

Function 013BD02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3442790931.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13bd000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: e7e95802d1f5814bd29c2d0564c8bf00330b1e6b2026599eae9155e57d04ac0b
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 8D11BB75504284CFDB12CF58D9C4B15BFA1FB84318F28C6AAD9494BA56C33AD44ACB62

Function 01425208 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 877df8df417db3ce24bb5601136b5345f8cd6dcd8bed41317a7b96ec6d752711
Instruction ID: 274b42053a436070f0202c2aacda64f4bb4c7845a6d84a7841ecf2ac2b66b13f
Opcode Fuzzy Hash: 877df8df417db3ce24bb5601136b5345f8cd6dcd8bed41317a7b96ec6d752711
Instruction Fuzzy Hash: 0301B132B012214BDB249BB958545BF77ABAF85564754452AE809CB365FE30C8424BA2

Function 01425210 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d1757f6125bb0b6b6f2b9e448511ba63cf9ed5520e8704e0c47dacb1164ab1a
Instruction ID: 6dc77460ffd29dc467f40d3dfccdb89424928641066af71c570c2470cbb4ed14
Opcode Fuzzy Hash: 1d1757f6125bb0b6b6f2b9e448511ba63cf9ed5520e8704e0c47dacb1164ab1a
Instruction Fuzzy Hash: 9F01D632B003115FDB24ABBD885856F76EFAFC5564754853AE909CB365FE30CC028BA2

Function 0142BE71 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdb1b61de81f712a3c042feead5d073543ac1b105db20adb26254311696e3f34
Instruction ID: 5c4ce0df41a76858337285a50117e68a3dc96369fbaea7aa2b6ade1e775e8e23
Opcode Fuzzy Hash: fdb1b61de81f712a3c042feead5d073543ac1b105db20adb26254311696e3f34
Instruction Fuzzy Hash: F6014C353006118FD714DB2DD5A4B1AB7F1FF88725F95846AE246CB771CA70D8858B11

Function 0142A840 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb1c06a09d0f7618e47dd87cc6c4751bd9ec2eebfd032e543f6c71edb7bc5b4
Instruction ID: 9e105b420d559695b362e981c040db9faa044a28030392289f12c38032db57a8
Opcode Fuzzy Hash: 5fb1c06a09d0f7618e47dd87cc6c4751bd9ec2eebfd032e543f6c71edb7bc5b4
Instruction Fuzzy Hash: C3017176A101199FCB14DF68D844AEE7BB1FF88321B108176F929D7250DB308D559BA1

Function 0142A850 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c737b524fdf2bca23aab686c9591d936b49255399fcaaa8bacbb22b9ee58ea1
Instruction ID: 2f272a0f5c976edd46c64c03f8a3e9164a8cdb136b5a989dc96e32b33b0c9eac
Opcode Fuzzy Hash: 6c737b524fdf2bca23aab686c9591d936b49255399fcaaa8bacbb22b9ee58ea1
Instruction Fuzzy Hash: B3014C31E101199BCB189F78D8496AF7FB5FB88211B50452AFD1AD7250DF308D159BA1

Function 0142C250 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b9981fa49e892f8866fa17070750c9466cb030e7ce30c3b5a202778c4a4f415
Instruction ID: 0bc07852c68a36fcb275124d80478641973660a1ab182a1129aad8835ed41cd2
Opcode Fuzzy Hash: 5b9981fa49e892f8866fa17070750c9466cb030e7ce30c3b5a202778c4a4f415
Instruction Fuzzy Hash: 00F04C3370021487CB1927ACE85956E3F9ADBC5621B544037F609CB742CE35CC4397E4

Function 0142FD98 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 382b62b3b045f194f467995b9f9e1769a54ff5d410e5804210caaf770bba4bae
Instruction ID: 7550357793b11955f172e273d10bbfc9561b003fd8481e4081d995fc8bfef001
Opcode Fuzzy Hash: 382b62b3b045f194f467995b9f9e1769a54ff5d410e5804210caaf770bba4bae
Instruction Fuzzy Hash: 04F0C2B2B011159FCB81CEBCD9445BBBFFEEB98214314C62BE409D7381EA30C8028760

Function 0142BF80 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71e87a94d9823d150fe2cd6c77a304c603ccfd4655db2b68a8aa71b56bab6adb
Instruction ID: 2c23edef1eaba6197996de54163b482f34b21fbfdcb3f09be5bb945053686816
Opcode Fuzzy Hash: 71e87a94d9823d150fe2cd6c77a304c603ccfd4655db2b68a8aa71b56bab6adb
Instruction Fuzzy Hash: 92F022313052A08FC7159778C829A1A3FA6DF96200F0A44ABEA41CB7A2CC34DC04C761

Function 0142BD31 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4834b17cca24df58b52a7c2d2fede1ed3c9bd6afd995317822910fb83d7d28
Instruction ID: c9422c1802cae9ac2a8ffb19c2a39484fe45541e26868a970a01b27197f71761
Opcode Fuzzy Hash: 6d4834b17cca24df58b52a7c2d2fede1ed3c9bd6afd995317822910fb83d7d28
Instruction Fuzzy Hash: 6FF09072A002099F8B50DEAED88199FBBF9FE98350B40413AD609D3210DA70995687E1

Function 0142C508 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc25e14beba0bba44d3ea8794c00bfccda4ae9fd022a4e999bc3ba11ac4f1498
Instruction ID: 4a396b8c2322f492c9658c479d20e27d5ccf3ce1c6f27fcbc3bd46693a0e4ef2
Opcode Fuzzy Hash: bc25e14beba0bba44d3ea8794c00bfccda4ae9fd022a4e999bc3ba11ac4f1498
Instruction Fuzzy Hash: F0F0A032B046359BCB199B6EA41496FBBAADFD8671754407FE508CB360CE72DC428790

Function 0142BD40 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78f58f614042827857d4e3d9405a49d105f21ad288724e34bd3529f32831c3c9
Instruction ID: b09a6b5cfa58768850df2622b26bad0c74ea33788f0acc0f176593f108ce6e8c
Opcode Fuzzy Hash: 78f58f614042827857d4e3d9405a49d105f21ad288724e34bd3529f32831c3c9
Instruction Fuzzy Hash: 39F05E729002099F8B50DFAA984099FBBF9FB98250B40412AD609D3210E6709A158BE1

Function 0142BF70 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ecbaf6bd193feabc1f85a9a2073378e4d002d362041b74e3642e2df8f87f50d
Instruction ID: 5057dfbd4c77615162779a0f2cb3b76be38d6c736216cb92a410c30fbd3d927c
Opcode Fuzzy Hash: 9ecbaf6bd193feabc1f85a9a2073378e4d002d362041b74e3642e2df8f87f50d
Instruction Fuzzy Hash: 95E0DF363001315FD71096ADD562FADBBA4EFA8761F494033FA40CB760D931EC804B90

Function 01425088 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f20973325f22a0b19d1210343dc8274ed23f942dca8e1dfac60fa6216cecff60
Instruction ID: c5bd2546ce6e77c6f3b3ccd16e80e0256c25740b14e0db674888a72333960aae
Opcode Fuzzy Hash: f20973325f22a0b19d1210343dc8274ed23f942dca8e1dfac60fa6216cecff60
Instruction Fuzzy Hash: C9E09970022302CFD2212F64B4EC27EBA6DEB0B323F803D02A20FC002AEB704084CB58

Function 01421877 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f370a212d02524b554a23776991f31f0fc0b70a1b70b9fcfe5cd4edee8b434a1
Instruction ID: 325af57b9f78e7bb35443d0702f533ab6419e145045206031cd202b6574be3b8
Opcode Fuzzy Hash: f370a212d02524b554a23776991f31f0fc0b70a1b70b9fcfe5cd4edee8b434a1
Instruction Fuzzy Hash: F1E0DF31D503268BC702EBA1AC500DEB334EE91224B044266C46936150FB341A5A8AE2

Function 0142BAD6 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfa6510a7b42169cb3dfb02e3f4cf83d4d61f11e1f334d292572caf68f762975
Instruction ID: e8ec87288f0ed72bc60d494b14906d1dbb216f03126b21f8c0fcb102ec0470a6
Opcode Fuzzy Hash: dfa6510a7b42169cb3dfb02e3f4cf83d4d61f11e1f334d292572caf68f762975
Instruction Fuzzy Hash: 85E08C777011309FC318CA9DE488CAABBA9EF88629319007BF209DB721CA71DC01C790

Function 0142BF38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d95ba863363ca8b61d0badaa38f0e69ea91607551c72e282422184ffd6b8819f
Instruction ID: 6c2574e0a1bd9aca95a8f1784a56a509828a9acb720ca14fc6e0f62ad3e01ca0
Opcode Fuzzy Hash: d95ba863363ca8b61d0badaa38f0e69ea91607551c72e282422184ffd6b8819f
Instruction Fuzzy Hash: AFE0C23B3502244FD3045BA8E456BA873A8EF84635F020072E4499F3A2CE21DC028681

Function 01421888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34bf2330a177bfed04dec013cbac3c5f2a41a7a0a4fac2e58de59a8a38ba2d87
Instruction ID: 2d6707e3fd42b7d1f3103e89c27e73df1d19edefd0e9b4ef59037cf632b731a8
Opcode Fuzzy Hash: 34bf2330a177bfed04dec013cbac3c5f2a41a7a0a4fac2e58de59a8a38ba2d87
Instruction Fuzzy Hash: 67D05B31D2022B97CB11E7A5DC044DFF738EED5265B504626D51837140FB703659C6E1

Function 014251E0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5983392292259ae3af2a85ebf2a88c81fd48836c192a4b4dba22ecd4004b3fd
Instruction ID: a3dbd40e538fdf0fde543ab9ddf2188666ea71c14d68c3b97cc13ec70d5e7299
Opcode Fuzzy Hash: b5983392292259ae3af2a85ebf2a88c81fd48836c192a4b4dba22ecd4004b3fd
Instruction Fuzzy Hash: 37D05E66C4E3904FCB53862408250B57FB0AD4B11035500CBC451CA1B7D9285D45C717

Function 0142325B Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed0c6c05de9fe5466c050ab4b59702c3465a22f1d83f4148c9ccade9f547e271
Instruction ID: 3f9be8cdd1faf753fac0e394e2f024c90fdf226924a3d5667296faeb0ddd0775
Opcode Fuzzy Hash: ed0c6c05de9fe5466c050ab4b59702c3465a22f1d83f4148c9ccade9f547e271
Instruction Fuzzy Hash: FBE0BD38E00309CFCF10DFA9E54489CBBB9FB48300B109066EA29AB220D6389A12CF41

Function 0142D9FD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbd3c388b3a21903469198b9624cc6a30664d1eefe5df5bddad77ca5a43439d0
Instruction ID: eef15bb263f8f87e7ae0e94bf9070d2179f8c1cf190b660f19adbb3a4cf38e08
Opcode Fuzzy Hash: dbd3c388b3a21903469198b9624cc6a30664d1eefe5df5bddad77ca5a43439d0
Instruction Fuzzy Hash: A6D0677AB400189FCB159F98EC808DEBBB6FB98321B049116F916A7261CA319921DB50

Function 0142BF48 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6258abe8c679e14205d3138be406d68744bba8ee3a3dff51a6079bdb9717bb78
Instruction ID: c041c922ba64016fff4ffe5db44b07ecfb8efa2ec376ff88ab2be3a1559da234
Opcode Fuzzy Hash: 6258abe8c679e14205d3138be406d68744bba8ee3a3dff51a6079bdb9717bb78
Instruction Fuzzy Hash: BFD0A7353502248FC304AB74E418C6577A9EF4867070140A5F50A8F362CE71DC0087C1

Function 0142A8A2 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd8891d328eb30197b6aab68f34d8eee47f620f9d3bd5387077a6650928b106
Instruction ID: 3b7d7b8f6b0719f64d37cb3be7a4ee9d199b8e1f581fcf99765608a848c7fef8
Opcode Fuzzy Hash: 4bd8891d328eb30197b6aab68f34d8eee47f620f9d3bd5387077a6650928b106
Instruction Fuzzy Hash: 49C02B33F00034868918454870040DDB321EBC0231B6040A3DA014740687700A2F7A40

Non-executed Functions

Function 05CC51E8 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

.5uq, xrefs: 05CC5303

Memory Dump Source

Source File: 00000008.00000002.3448993418.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5cc0000_SOA.jbxd

Similarity

API ID:
String ID: .5uq
API String ID: 0-910421107
Opcode ID: 5758c631b1785d4a04ac9aee155d025f89a6a539088c1440c2304142d8f9913c
Instruction ID: da743e317d125379424051fb5f4468d8367b85b6198aea925c7f0a8806b0f059
Opcode Fuzzy Hash: 5758c631b1785d4a04ac9aee155d025f89a6a539088c1440c2304142d8f9913c
Instruction Fuzzy Hash: 36528E74E01229CFDB64DF65C884B9DBBB2BF89301F5085EAD409A7254DB35AE81CF50

Function 05CC5CD8 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3448993418.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5cc0000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b9320479fb8ed2069811874794a5c85f076aa9afa8c9551b3a98c9431b6eb46
Instruction ID: 005d1ea5e8e5fb9b4f2179fe46f7cb8df8ee9110253c1ac0e23699d4c9e5bf19
Opcode Fuzzy Hash: 2b9320479fb8ed2069811874794a5c85f076aa9afa8c9551b3a98c9431b6eb46
Instruction Fuzzy Hash: 5272CA74E052298FDB64DF69C980BEDBBB2BB49301F1485EAD409A7255DB34AEC1CF40

Function 05CC15F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3448993418.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5cc0000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61fb505b24dc574b307512b783a14c7db562e9fb8f77579e8a781aef8bc15cdb
Instruction ID: 07ba173c40fd055da09f783395dc42d93b331821e069dcb5bde6bdd4dc349fde
Opcode Fuzzy Hash: 61fb505b24dc574b307512b783a14c7db562e9fb8f77579e8a781aef8bc15cdb
Instruction Fuzzy Hash: 95C1AF74E00218CFDB54DFA6D984B9DBBB2BF88300F1485A9D809AB365DB359E85CF50

Function 05CC3598 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3448993418.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5cc0000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd9616c05660cf10f4725f54361576d3db7345ea965debd3e378559d89f4ddde
Instruction ID: 464c5f0f3a908ef4594ea28dc4942e26b45b0022df5e6e8486f7e27a05fc2b17
Opcode Fuzzy Hash: dd9616c05660cf10f4725f54361576d3db7345ea965debd3e378559d89f4ddde
Instruction Fuzzy Hash: 0FC1AE74E00218CFDB54DFA5D984B9DBBB2BF88300F1085A9D809AB365DB359E85CF51

Function 05CC0498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3448993418.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5cc0000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c1330d93f514f2045efbd40a82c0803b34e1dd92baaf790014bd2eae1df4b73
Instruction ID: 61368657230de91584c1de8674dcd631d1b50e80699ae08ab068c0d5886c724d
Opcode Fuzzy Hash: 3c1330d93f514f2045efbd40a82c0803b34e1dd92baaf790014bd2eae1df4b73
Instruction Fuzzy Hash: E3C1AE74E01218CFDB54DFA5D984B9DBBB2BF88300F1085A9D809AB365DB389E85CF50

Function 05CC2438 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3448993418.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5cc0000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34529423f171f7ee71fc8e940d6b31aa8dad93419c82431852a4c658938815c3
Instruction ID: b7b18ba5a183e3f302aed47669e1f23ba86bee98bdbf5b4ff788382da8751049
Opcode Fuzzy Hash: 34529423f171f7ee71fc8e940d6b31aa8dad93419c82431852a4c658938815c3
Instruction Fuzzy Hash: EAC1AD74E00218CFDB54DFA5D984B9DBBB2AF88300F1085A9D809AB265DB349E85CF51

Function 05CC46F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3448993418.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5cc0000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec519c1c1842affa0321be2c26ba3abfa6babdd320673c70f45d45903f877f7d
Instruction ID: 9b843db065c0ce32b00a0235c0188281e2dc281a1c109df294b4149429bd978c
Opcode Fuzzy Hash: ec519c1c1842affa0321be2c26ba3abfa6babdd320673c70f45d45903f877f7d
Instruction Fuzzy Hash: 8EC1BF74E00218CFDB58DFA5D994B9DBBB6BF88300F1080A9D809AB365DB349E85CF50

Function 05CC11A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3448993418.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5cc0000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf3a3f26a1ea89cb53e27c3f8c19ac317d332c7be3f3db9dae84973ac3385b2
Instruction ID: 35eb833a405fd7b1bb8723197e83955d66e40c8153e34cff3556aa98016b294c
Opcode Fuzzy Hash: 2bf3a3f26a1ea89cb53e27c3f8c19ac317d332c7be3f3db9dae84973ac3385b2
Instruction Fuzzy Hash: CDC1BF74E00218CFDB54DFA6D984B9DBBB2EF89300F1490A9D809AB365DB349E85CF51

Function 05CC3140 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3448993418.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5cc0000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6896a1b2a42e72a065c85b687909fa03873e35debb05039520cc6935a7e0df95
Instruction ID: f5fae000bce58cd8b6e0eb02bc9050cba4dd7cc0ec32981643a784181a56ab2f
Opcode Fuzzy Hash: 6896a1b2a42e72a065c85b687909fa03873e35debb05039520cc6935a7e0df95
Instruction Fuzzy Hash: 68C1AE74E00218CFDB54DFA9D984B9DBBB2AF88300F1084A9D809AB365DB359E85CF51

Function 05CC0040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3448993418.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5cc0000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c632b69ab646752714123ac29850dee9f00c0528b0edd7937f41bf8eb948275
Instruction ID: aced39fc945c67338f4553b9b999aabf0a532e6550f77e5734291d95d7e8b237
Opcode Fuzzy Hash: 4c632b69ab646752714123ac29850dee9f00c0528b0edd7937f41bf8eb948275
Instruction Fuzzy Hash: 74C1AD74E00218CFDB54DFA5D984B9DBBB2EF88300F1091A9D809AB265DB399A85CF51

Function 05CC42A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3448993418.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5cc0000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29bcc7262d7efdf888f4a0ed93e6b9fe61d7324a2d8e56dd1ae47c310106a4aa
Instruction ID: 255e431933748cd38811ee2eef85f8befa280f8d2d8d79b4d356e4f68fb5c071
Opcode Fuzzy Hash: 29bcc7262d7efdf888f4a0ed93e6b9fe61d7324a2d8e56dd1ae47c310106a4aa
Instruction Fuzzy Hash: BBC1AF74E00218CFDB54DFA5D994B9DBBB2EF88300F1091A9D809AB365DB355E85CF50

Function 05CC0D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3448993418.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5cc0000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd40d5f7228a8ff15862c46a31ab849ee8142dd96915b38b8737f8da0dca3b9c
Instruction ID: 4104585c938a39b746fe16565da6d1b82355c4f9424b4277195c23fdcf40d167
Opcode Fuzzy Hash: cd40d5f7228a8ff15862c46a31ab849ee8142dd96915b38b8737f8da0dca3b9c
Instruction Fuzzy Hash: 89C1B074E00218CFDB54DFA5D984B9DBBB2BF89300F1084A9D809AB365DB389E85CF11

Function 05CC2CE8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3448993418.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5cc0000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e324b69388a92026cd2cc3053e1b5abc02aed7c26cbc4bb08af1cfd95367853
Instruction ID: f6b7ab797c93d9786bc9639ca05bd14759a9596f64573d9544d9e913af539747
Opcode Fuzzy Hash: 4e324b69388a92026cd2cc3053e1b5abc02aed7c26cbc4bb08af1cfd95367853
Instruction Fuzzy Hash: ADC1AF74E00218CFDB54DFA5D984B9DBBB2BF88300F1085A9D809AB365DB399E85CF51

Function 05CC1EA8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3448993418.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5cc0000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79313c4fb8c23a61b71a8540be57cad3225c69a39ef2ae01ddd4e9c795f6d011
Instruction ID: 0469f772aab2712a3d65c61f85cf29ab02aeba9c197adbefcef93fb3bbf07753
Opcode Fuzzy Hash: 79313c4fb8c23a61b71a8540be57cad3225c69a39ef2ae01ddd4e9c795f6d011
Instruction Fuzzy Hash: 30C1AE74E00218CFDB54DFA5D994B9DBBB2BF89300F2091A9D809AB365DB349E85CF50

Function 05CC3E48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3448993418.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5cc0000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd98a67f46fe03b3eeeca2eb7373271e2a88dc7917b4dfc1d70c392c0490692a
Instruction ID: 1031a356bc63b9c809852bf2c80a6d0b7bd45a99f3f303820a3faba32a232fb1
Opcode Fuzzy Hash: cd98a67f46fe03b3eeeca2eb7373271e2a88dc7917b4dfc1d70c392c0490692a
Instruction Fuzzy Hash: D5C1BE74E00218CFDB58DFA5D994B9DBBB2BF88300F1084A9D809AB365DB359E85CF10

Function 05CC39F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3448993418.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5cc0000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5daa8b04aab5608f2842b12c5234bdcfd09be9e214d2eaf827e359f6e64119ce
Instruction ID: dee7c574ad0d57d28d4c282c92509e9b062f93e07f6d7aadca827199634d061e
Opcode Fuzzy Hash: 5daa8b04aab5608f2842b12c5234bdcfd09be9e214d2eaf827e359f6e64119ce
Instruction Fuzzy Hash: 32C1AF74E00218CFDB54DFA5D984B9DBBB2BF88300F1085A9D409AB355DB399E85CF51

Function 05CC08F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3448993418.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5cc0000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f8131df1e5baf26d0d6f61aded2b70bbc9c306c4ac9c14eddf642b833c687a9
Instruction ID: 64de7a246d9eb3873eb22b4a4fd5d705dd91fde7a1b766b330ddfcf35bb918ef
Opcode Fuzzy Hash: 2f8131df1e5baf26d0d6f61aded2b70bbc9c306c4ac9c14eddf642b833c687a9
Instruction Fuzzy Hash: 6EC1AF74E00218CFDB54DFA5D994B9DBBB2BF88300F2081A9D809AB365DB349E85CF51

Function 05CC2890 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3448993418.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5cc0000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e9623d621ac21e41731e3741b51bddd88ade91a8227029f037a1929a9f30e1
Instruction ID: fe732de05dde6917588a60f4c082272beb28fb62cc710965d7f04de47294855c
Opcode Fuzzy Hash: e4e9623d621ac21e41731e3741b51bddd88ade91a8227029f037a1929a9f30e1
Instruction Fuzzy Hash: 65C1AD74E00218CFDB54DFA5D984B9DBBB2EF88300F1091A9D809AB365DB399E85CF51

Function 05CC4B50 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3448993418.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5cc0000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4beaa316329181485ce07489d1ef3e069c9c0adac73b1d29b009579a55366eb
Instruction ID: 009c34ccc8647ada9bf88b0940e13b2adc276dce8c1a5302736b18b096664a44
Opcode Fuzzy Hash: f4beaa316329181485ce07489d1ef3e069c9c0adac73b1d29b009579a55366eb
Instruction Fuzzy Hash: F4C1AF74E00218CFDB54DFA5D994B9DBBB2BF88300F1090A9D809AB365DB399E85CF51

Function 05CC1A50 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3448993418.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5cc0000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d369a8c761861f01521cc0ecaa9610172112147b0dcdc946aff93412de1f81b
Instruction ID: a342400bda68e0b0baf7e374c38006b7eed6054db8b652764f2e77034185c34a
Opcode Fuzzy Hash: 3d369a8c761861f01521cc0ecaa9610172112147b0dcdc946aff93412de1f81b
Instruction Fuzzy Hash: 60C1AE74E00218CFDB54DFA6D994B9DBBB2EF89300F1080A9D809AB365DB359E85CF50

Function 0142E398 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f073fa9ebca9c0a09b048fbd78fcf18e33704aa686a29eb356a56cba781d2beb
Instruction ID: ed08280ecf2a3dd72b03d0f07f575d6e1f782bf5bc2e66df3b10f54a6e9d39ee
Opcode Fuzzy Hash: f073fa9ebca9c0a09b048fbd78fcf18e33704aa686a29eb356a56cba781d2beb
Instruction Fuzzy Hash: 8EC1AF74E00218CFDB54DFA5D984B9DBBB2EF88300F1091AAD809AB365DB359E85CF51

Function 0142E7F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b57ae54e8c1e34f9b1c21bcfcefe6ac024cad5275454331fcd66839bebf94e
Instruction ID: 2730f9dab5b60ea4cf974e008f10238a0b40f50d4e5b8ed1128ad0161df47ab1
Opcode Fuzzy Hash: d7b57ae54e8c1e34f9b1c21bcfcefe6ac024cad5275454331fcd66839bebf94e
Instruction Fuzzy Hash: 06C1AF74E00218CFDB54DFA5D984B9DBBB2EF88300F5080AAD809AB365DB359D85CF51

Function 0142EC48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a96ed499b28702e2d1b28fe4dfb69befb74fe19365bbbf6849afc62d72baf933
Instruction ID: 730c7a6a7e16f22709983f0a4243b290d02cfd62b611ab66f705d631d3048aaa
Opcode Fuzzy Hash: a96ed499b28702e2d1b28fe4dfb69befb74fe19365bbbf6849afc62d72baf933
Instruction Fuzzy Hash: EBC1A074E00218CFDB54DFA9D984B9DBBB2BF88300F5081AAD809AB365DB395D85CF51

Function 0142F0A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6617487dd43aaa04a3672ca3328687bd43bb0156fded7673cc6cf7ecec8b6a
Instruction ID: 0e90f451176fc9147c207a31a7c722cfd11ba6a806da5008486e9b5779a31744
Opcode Fuzzy Hash: be6617487dd43aaa04a3672ca3328687bd43bb0156fded7673cc6cf7ecec8b6a
Instruction Fuzzy Hash: 4DC1B074E00218CFDB54DFA5D984B9DBBB2EF89300F6081AAD809AB365DB355D85CF50

Function 0142F4F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a2e1c2106328a129e3befe055f27442e65663fc7730d4911427fdf5c12815f0
Instruction ID: 07860ca1e65db49360ba354baee57aabd4f6b4bbe7e3e5c262d3e0230f471316
Opcode Fuzzy Hash: 7a2e1c2106328a129e3befe055f27442e65663fc7730d4911427fdf5c12815f0
Instruction Fuzzy Hash: 28C1B074E00218CFDB54DFA5D984B9DBBB2EF89300F5081AAD809AB365DB349D85CF10

Function 0142F950 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3564e2a2d7d5a7e95ef2041d251050fb2a7286ecf72700bdde4a3aab62a824b3
Instruction ID: 1a31f1ef1e519f63d128c4be27171097c48e3d4f7ab0707e7dedbfd38cbe9a55
Opcode Fuzzy Hash: 3564e2a2d7d5a7e95ef2041d251050fb2a7286ecf72700bdde4a3aab62a824b3
Instruction Fuzzy Hash: DCC1B074E00218CFDB54DFA5D984B9DBBB2EF88300F5080AAD819AB365DB359D85CF50

Function 05CC581B Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3448993418.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5cc0000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61f89ecaec1012bb83a8797d4dc7d8409661d875977f68009b15f8914202c565
Instruction ID: fa4ecc699ed06d3c1106ae76ed9209c360d54089cd11aba240de5beffb1cb941
Opcode Fuzzy Hash: 61f89ecaec1012bb83a8797d4dc7d8409661d875977f68009b15f8914202c565
Instruction Fuzzy Hash: 8AA19D74A01228CFDB64DF25C894B9ABBB2BF4A304F5085EAD40EA7250DB359E81CF41

Function 05CC59FB Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3448993418.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5cc0000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2816c227713cdbdb3bde4f7c600f3d6ab512bb13f94ee8c58cadf9510c6ff8a
Instruction ID: f29a34096859724fbaefadf25faf8396fb0964dba11640e47a7fff7efbf840f0
Opcode Fuzzy Hash: f2816c227713cdbdb3bde4f7c600f3d6ab512bb13f94ee8c58cadf9510c6ff8a
Instruction Fuzzy Hash: B1517E74A01229CFCB64DF24C894B9ABBB2FF4A305F5095E9D40EA7254CB359E81CF41

Function 05CC93F8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3448993418.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5cc0000_SOA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe5e1909e17b58fa734632488b0273498d361d158842866c983f8a972d2a59c
Instruction ID: 01c56e87cb64f4d7b729453863da559579afd5dead8870c179b662fed74f1716
Opcode Fuzzy Hash: 4fe5e1909e17b58fa734632488b0273498d361d158842866c983f8a972d2a59c
Instruction Fuzzy Hash: 52018C30811208DFC720EF64F08C3ADBBB8FB0A313F5068A9E50AA3154E7344A84DB45

Function 01421A40 Relevance: 5.1, Strings: 4, Instructions: 99COMMON

Download Yara Rule

Strings

Xaq, xrefs: 01421A76
Xaq, xrefs: 01421B7C
Xaq, xrefs: 01421B2F
Xaq, xrefs: 01421AB0

Memory Dump Source

Source File: 00000008.00000002.3443115665.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1420000_SOA.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq
API String ID: 0-4015495023
Opcode ID: 296cd0c904b0fdfb0c9bc3383f130687e29617ab2917a0549dbf4baceff01958
Instruction ID: 5227baeb0958c58dfb6fa884f95356569577d184c2d3fa990a39d26a2cdd9424
Opcode Fuzzy Hash: 296cd0c904b0fdfb0c9bc3383f130687e29617ab2917a0549dbf4baceff01958
Instruction Fuzzy Hash: 14316530E0022A8BDF658FAC85507AFBAF6BF84610F55406BC519A7365EB70C9C5CB92

Analysis Process: eVjuqWQWhLhEQl.exePID: 4072, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	47
Total number of Limit Nodes:	6

Executed Functions

Function 0172DDC0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0172DE3E
GetCurrentThread.KERNEL32 ref: 0172DE7B
GetCurrentProcess.KERNEL32 ref: 0172DEB8
GetCurrentThreadId.KERNEL32 ref: 0172DF11

Memory Dump Source

Source File: 00000009.00000002.2239468251.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1720000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a2a990f0c430595ab3e9a88ce4e4269afd37f4f4d336fdeea9acd5576f1c3d43
Instruction ID: 15c5d963137f4b2124af551100b4de8378e8bfbd0ee1273bdf12ce63ac67c6f3
Opcode Fuzzy Hash: a2a990f0c430595ab3e9a88ce4e4269afd37f4f4d336fdeea9acd5576f1c3d43
Instruction Fuzzy Hash: 695154B09012498FDB54DFA9D548BAEBBF1FF88304F20C469E019A73A0D7389944CB65

Function 0172590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 017259C9

Memory Dump Source

Source File: 00000009.00000002.2239468251.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1720000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d9fb9e2522ff583615b246210141affe4993f70b67c9300252c708d70f1080d1
Instruction ID: 3a2a868aaa5dd9d35d28785c3bbd1291e954c497e9da502e51c595d2ab861ef9
Opcode Fuzzy Hash: d9fb9e2522ff583615b246210141affe4993f70b67c9300252c708d70f1080d1
Instruction Fuzzy Hash: 2041EFB0C00719CBDB24CFA9C885BDDFBB6BF49704F20806AD418AB255DB76594ACF90

Function 01724514 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 017259C9

Memory Dump Source

Source File: 00000009.00000002.2239468251.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1720000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 315ee571941ec458afb8edb11ba7ea23755ae16177626599312d9965aa92853d
Instruction ID: 659f71e37d5a971a0223e82e1c450627558995905c95818e396ad3033ff4f8b7
Opcode Fuzzy Hash: 315ee571941ec458afb8edb11ba7ea23755ae16177626599312d9965aa92853d
Instruction Fuzzy Hash: 2641D2B0C0071DCBDB24DFA9C844BDDBBB5BF49704F20806AD418AB255DB765946CF91

Function 072F0978 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 072F0A17

Memory Dump Source

Source File: 00000009.00000002.2246025525.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72f0000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: e74b125ad478642d2f2bd9664096eae643c1a5d5318c2ba3f05dedc670ef06b0
Instruction ID: 746fd2a9c1fe95d0b4fe629b5608c0d77719f7ae8b99ab94cf848f81a4dade99
Opcode Fuzzy Hash: e74b125ad478642d2f2bd9664096eae643c1a5d5318c2ba3f05dedc670ef06b0
Instruction Fuzzy Hash: 5C31E0B591120A9FDB10CF9AD884ADEFBF5FF48314F14842AE919A7210D774A940CFA4

Function 072F0980 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 072F0A17

Memory Dump Source

Source File: 00000009.00000002.2246025525.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72f0000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 5b3af9335fe3f57939673f123cd1247fa3d57cbc82aff0ab60200217e1b6e2de
Instruction ID: 28796e415afcaedef31902f02657092826ba0efed1f483467f4094b0c1860eca
Opcode Fuzzy Hash: 5b3af9335fe3f57939673f123cd1247fa3d57cbc82aff0ab60200217e1b6e2de
Instruction Fuzzy Hash: 1621DFB5D0120A9FDB10CF9AD884ADEFBF5FF48320F14842AE919A7211D774A944CFA0

Function 072F4EE8 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 072F4F77

Memory Dump Source

Source File: 00000009.00000002.2246025525.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72f0000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID: FromMonitorPoint
String ID:
API String ID: 1566494148-0
Opcode ID: 5547cd4ee15bb40b1a447d7e1ebaa0e5902ffe85be6438451a05cead0890d98a
Instruction ID: e894981ea34c02b1cd9de8cef2333e96e5b55ef12c8a72fef3ed4f09fec57992
Opcode Fuzzy Hash: 5547cd4ee15bb40b1a447d7e1ebaa0e5902ffe85be6438451a05cead0890d98a
Instruction Fuzzy Hash: FD217AB58043899FDB11DFA9D404BEEBFF4EB49314F10806AE959AB280C3786945CFA1

Function 072F4EF8 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 072F4F77

Memory Dump Source

Source File: 00000009.00000002.2246025525.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72f0000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID: FromMonitorPoint
String ID:
API String ID: 1566494148-0
Opcode ID: 771c83945d5d4e152dca59234aafaf6bf2523a51f150cd22162be858b7a9e862
Instruction ID: d4d68c5aeea11a4f3c6e334685fa79f1e050d7ab6d8ce776422b47583c028835
Opcode Fuzzy Hash: 771c83945d5d4e152dca59234aafaf6bf2523a51f150cd22162be858b7a9e862
Instruction Fuzzy Hash: 26215CB49102499FDB10DF99D404BAEFBF5FB89314F10841AE959BB380C7B9A905CFA1

Function 0172E008 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0172E08F

Memory Dump Source

Source File: 00000009.00000002.2239468251.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1720000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 307e566772e404f345b989f6ec2d8dd2473ceeb721a67f5c11f9f41b54ee6bb7
Instruction ID: 599bfa472ce503074b7292b43703b46414ad8772730ff7010bf4212a3d678607
Opcode Fuzzy Hash: 307e566772e404f345b989f6ec2d8dd2473ceeb721a67f5c11f9f41b54ee6bb7
Instruction Fuzzy Hash: B421F5B59002189FDB10CFAAD584ADEFFF8FB48310F14841AE918A3310D378A940CFA5

Function 0172BD20 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0172BD86

Memory Dump Source

Source File: 00000009.00000002.2239468251.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1720000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f9dfa9a1f5d9852c127766cdc7d94b3e8c46143976b611f4d0ec094a564905d5
Instruction ID: 8efebefdac559e72fee6d7483ae8700d32cd1cba4aad58be5410086b37f282bd
Opcode Fuzzy Hash: f9dfa9a1f5d9852c127766cdc7d94b3e8c46143976b611f4d0ec094a564905d5
Instruction Fuzzy Hash: 2E11DFB5C006598FDB10DF9AD444ADEFBF4AF89310F14842AD919B7210C379A586CFA6

Function 05BC2C08 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 05BC777D

Memory Dump Source

Source File: 00000009.00000002.2245876524.0000000005BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5bc0000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9117ee3001428f6bcaf4f359f05300b2da658cc2a6f5768f93ee072d100c6719
Instruction ID: d34443a710b322bdfeb45dc9367d4158697857e4ba7df7d903ba688df5473fca
Opcode Fuzzy Hash: 9117ee3001428f6bcaf4f359f05300b2da658cc2a6f5768f93ee072d100c6719
Instruction Fuzzy Hash: 2811F2B580034C9FDB10DF9AC488BDEBFF8EB48310F10845AE918A7200C379A944CFA5

Function 05BC7718 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 05BC777D

Memory Dump Source

Source File: 00000009.00000002.2245876524.0000000005BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5bc0000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f3ddde821c27c827157a384e70bf61243e2b8a591c374a5cc99bc1c6cc0152bd
Instruction ID: 9f0ce5ac0d5e2390abf330a5a6c9a82558a4232689c95451e337fa739faad269
Opcode Fuzzy Hash: f3ddde821c27c827157a384e70bf61243e2b8a591c374a5cc99bc1c6cc0152bd
Instruction Fuzzy Hash: 0D11F2BA8003198FDB10DF99D985BDEFBF8FB08324F10845AD958A7650C378A544CFA5

Function 0130D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2238843568.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_130d000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90674d7f60bbbd5d030280a0322b8fecac5bb0a65f35493e860df0d889b46f1c
Instruction ID: d1a9fc21fb2f6063dd0108ad26e8707763e772bcf7862270a5c83cce768e9b96
Opcode Fuzzy Hash: 90674d7f60bbbd5d030280a0322b8fecac5bb0a65f35493e860df0d889b46f1c
Instruction Fuzzy Hash: 2D210371504204DFDB06DFD8D9D0B26BFE9FB88328F20C569E9090B296C33AD416CBA1

Function 0130D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2238843568.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_130d000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 862e6e4368c85966d5c0ee2d1f55cef676c69c939e66857f5838602d6a1758e1
Instruction ID: 908c753aaea3e04d7e30823d58380a099b287a2a0591ce8a5b104985aebc9291
Opcode Fuzzy Hash: 862e6e4368c85966d5c0ee2d1f55cef676c69c939e66857f5838602d6a1758e1
Instruction Fuzzy Hash: 2121F171500244DFDB06DF98D990B26BFE9FB8831CF20C569ED090B696C33AD416CAA2

Function 0131D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2238925181.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_131d000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 814c32f77ca1116db73571eab7c351ed04ccc52bffc7f7282687682ebe795c6c
Instruction ID: 52179c738310f81955fa5e37e097c9da2ac946e2b0040952daabce978ad0fa45
Opcode Fuzzy Hash: 814c32f77ca1116db73571eab7c351ed04ccc52bffc7f7282687682ebe795c6c
Instruction Fuzzy Hash: 75213771504204DFDB09DF98D5C8F26BBA5FB89328F20C66DD9094B35AC33AD407CA61

Function 0131D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2238925181.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_131d000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8d4d04faf8b4ca20985f6a0d8a544706082f4217c3a2c82cbb359e6c1d183e9
Instruction ID: 49c3ff77c0b63e3f62086689c8f4fc46ccc6be774d326621028a2af3034aaa30
Opcode Fuzzy Hash: d8d4d04faf8b4ca20985f6a0d8a544706082f4217c3a2c82cbb359e6c1d183e9
Instruction Fuzzy Hash: 89212275604204DFCB19DF68D988B26BF69FB89318F20C56DD90A0B35AC33AD407CA62

Function 0130D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2238843568.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_130d000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
Instruction ID: da2138a123182fbf6359740b043d38724e97740f8331aad016dcaa6fc0c877ee
Opcode Fuzzy Hash: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
Instruction Fuzzy Hash: 72219076504240DFDB06CF94D9D4B16BFA1FB84324F24C5A9DD450A656C336D426CBA1

Function 0130D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2238843568.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_130d000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 4c4e6d8afe9d19cf742cbfd01d12b02d14733e60b3a9bfb10ced7cafb2ea906e
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: E711AF76504280CFDB16CF54D5C4B16BFB1FB88318F24C6A9DD490B696C336D45ACBA2

Function 0131D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2238925181.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_131d000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 635c82239635e1af84ed43ede2fdc47c7e31a55e45f3041ff7e4064439456803
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: AC11D075504280CFDB16CF58D5C8B15FF61FB45318F24C6A9D8494B65AC33BD44ACB62

Function 0131D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2238925181.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_131d000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 1016b6eb170ef217ebd3078e4417a12b69d619bfdf9810965aa3fabc6c8863cc
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 1611BB75504280DFDB06CF58C5C8B15BFB1FB85228F24C6A9D8494B69AC33AD40ACB62

Analysis Process: eVjuqWQWhLhEQl.exePID: 1812, Parent PID: 4072COMMON

Execution Graph

Execution Coverage:	12.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	12.1%
Total number of Nodes:	58
Total number of Limit Nodes:	10

Executed Functions

Function 06354560 Relevance: 3.4, APIs: 2, Instructions: 357
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 063545F8

Memory Dump Source

Source File: 0000000D.00000002.3450597815.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6350000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e83e6d3b38bc869f3938d97cc37c93addd3a12daed57fbaa8543717518894d6e
Instruction ID: eee11bf71e155905985818d0d4bc527665784c1186132adee9615a34e2ad1fce
Opcode Fuzzy Hash: e83e6d3b38bc869f3938d97cc37c93addd3a12daed57fbaa8543717518894d6e
Instruction Fuzzy Hash: B4F1E474D01218CFDB58DFA9D884B9DBBF2BF88304F5581A9D808AB356DB349985CF90

Function 01272DD1 Relevance: 2.9, Strings: 2, Instructions: 405
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xaq, xrefs: 01272E0F
$]q, xrefs: 01272DF6

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID: Xaq$$]q
API String ID: 0-1280934391
Opcode ID: ddbab31cf9921b2f8bb1a57ab45ff1fb7d496c6d2ed768253b076a4f259cdab4
Instruction ID: bad6466c5a67b6a896ff11f2f3884e947a65f1670be6b5028046432f5b73bae1
Opcode Fuzzy Hash: ddbab31cf9921b2f8bb1a57ab45ff1fb7d496c6d2ed768253b076a4f259cdab4
Instruction Fuzzy Hash: 74E18C74F10219CFDB08DFB9D8556AEBBB2BF88710B14852AE406EB354DF349842DB51

Function 06354340 Relevance: 1.8, APIs: 1, Instructions: 263libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 063545F8

Memory Dump Source

Source File: 0000000D.00000002.3450597815.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6350000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5045193017e850562e93ad2a15ab3c47d3630d108808178aeb3732d757b4a172
Instruction ID: ac1ec70f126317873712db0b739193c047ee8ec88bb899be30a85a0bf968d3ff
Opcode Fuzzy Hash: 5045193017e850562e93ad2a15ab3c47d3630d108808178aeb3732d757b4a172
Instruction Fuzzy Hash: E991D1B1E002198FDF58DFB9D944AAEBBF6AF84310F118529C805A7396DB358D46CBD0

Function 0127DB08 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0293afd543851e092cd755f532da3dab8e184b5821aca641505ded1e1138d3
Instruction ID: 63ac048b68c16a77968e609fe44951fbf0cb1da2cb3ec15218cd95595f711478
Opcode Fuzzy Hash: 3f0293afd543851e092cd755f532da3dab8e184b5821aca641505ded1e1138d3
Instruction Fuzzy Hash: E7F13E71A102198FDB05CFACD9889AEBBF6FF99310B1A8459E505EB362C735EC41CB50

Function 01279E00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42f801253fd2553fc198e0219becfdda6defcce7f391ff27da09a8466d44212
Instruction ID: 33642593613e50e64560c2b61569d44f4b15686c5512d40093b8fcba113ce9d8
Opcode Fuzzy Hash: c42f801253fd2553fc198e0219becfdda6defcce7f391ff27da09a8466d44212
Instruction Fuzzy Hash: E2C1A074E00218CFEB14DFA5D994B9DBBB2BF88304F1084AAD809AB365DB355E85CF51

Function 0127A3B0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43396d573f2bfadcb4f5f56103bfd9861b2c835b10819f9408cfc41a3b9d120a
Instruction ID: a26b0fbc2913f6696c857518ee1de9100c7a95678e13adb7d84176316330ed62
Opcode Fuzzy Hash: 43396d573f2bfadcb4f5f56103bfd9861b2c835b10819f9408cfc41a3b9d120a
Instruction Fuzzy Hash: B7A12470D10209CFEB14DFA9C988BDDBBB1FF88314F248269E508AB291DB749985CF50

Function 0127A3C0 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b29379849526547c73db98cc4fd92013208d7a5409dbf3b41bddb1921e12ef
Instruction ID: 9c41e22ab2074e871f43ea0fc048f20daa87481df272e4a00aaafc63a6368466
Opcode Fuzzy Hash: 41b29379849526547c73db98cc4fd92013208d7a5409dbf3b41bddb1921e12ef
Instruction Fuzzy Hash: 03A12670D10209CFEB14DFA9D988BDDBBB1FF88314F248269E508AB291DB749985CF51

Function 0127A706 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9894499d88eb60475b09c314bc9feb53d0e7b0ab5fc0dee323e9e3eaa73ff50b
Instruction ID: 24cd07a4a870ea1fd5d6212265ff3f2484ebd3591679826cb652e779b9a21bf8
Opcode Fuzzy Hash: 9894499d88eb60475b09c314bc9feb53d0e7b0ab5fc0dee323e9e3eaa73ff50b
Instruction Fuzzy Hash: 49911374D10208CFEB14DFA8D888BEDBBB1FF49314F248269E509AB291DB749985CF50

Function 01279DEF Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc5ea8457f73896fa3cd70dff15e19b63b7e8fcfbd86c5e47c71c9032490d730
Instruction ID: 2fc8eace7209df1068da6145c8bbc64e8f865cf0f4fdc2ccd33855e14a361131
Opcode Fuzzy Hash: dc5ea8457f73896fa3cd70dff15e19b63b7e8fcfbd86c5e47c71c9032490d730
Instruction Fuzzy Hash: 3241F870E002488FEB18DFBAD8546EEBBF2AF89304F14C12AD419AB395EB755945CF10

Function 01273F78 Relevance: 6.4, Strings: 5, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 012740E1
Lj@p, xrefs: 01274078
0o@p, xrefs: 01273FDA
PH]q, xrefs: 012740F2
Lj@p, xrefs: 01274088

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 0bd01fce9010c315f81f1393ed18480ba1febbe4274bc372618badaf67b6a9a6
Instruction ID: dd8be370dfe65f5812281895794a8eb3c9fd43b804d808f5a013d28eb1c3479b
Opcode Fuzzy Hash: 0bd01fce9010c315f81f1393ed18480ba1febbe4274bc372618badaf67b6a9a6
Instruction Fuzzy Hash: 0451C574E10248DFDB08DFA9D99499EBBF2BF89310F10846AE815BB364DB74A945CF10

Function 012719B8 Relevance: 5.8, Strings: 4, Instructions: 837
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xaq, xrefs: 01271B7C
Xaq, xrefs: 01271A76
Xaq, xrefs: 01271AB0
Xaq, xrefs: 01271B2F

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq
API String ID: 0-4015495023
Opcode ID: b61d906c54d9644becf2d4f1e9b278dd3abab834f6abcbec838a50331bd32cd0
Instruction ID: 24d47c29353eefdd1cf359ae61ae77afc0466415b426d8986cf370feb7185bcc
Opcode Fuzzy Hash: b61d906c54d9644becf2d4f1e9b278dd3abab834f6abcbec838a50331bd32cd0
Instruction Fuzzy Hash: 7552F672D543A38FC7A58F74C8571E9BBF1FFA53247288A5EC0E189941E3784992CB42

Function 0127B2C0 Relevance: 5.3, Strings: 4, Instructions: 318
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 0127B3AD
Haq, xrefs: 0127B51B
Haq, xrefs: 0127B54E
Haq, xrefs: 0127B581

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID: $Haq$Haq$Haq
API String ID: 0-432640594
Opcode ID: 397b1cce7e2af9edc86868e0e529153e558ef43a725786dd7194bc8bf8ef5962
Instruction ID: e5f9727def0011682401a3e42982a4cfa6392930c17b577e3d01b8fe28faae4c
Opcode Fuzzy Hash: 397b1cce7e2af9edc86868e0e529153e558ef43a725786dd7194bc8bf8ef5962
Instruction Fuzzy Hash: 9BB107307142058FEB15AF7CE86926E3BA2EF85324F14452AEA16CB3D1DF389D41C7A1

Function 0127B2BE Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 0127B51B
, xrefs: 0127B35D
Haq, xrefs: 0127B54E
Haq, xrefs: 0127B581

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID: $Haq$Haq$Haq
API String ID: 0-432640594
Opcode ID: fbce342c90536dbbb66c6885bb3220323a3a54bba0ceacd67dd57ca6a70beb1b
Instruction ID: cb2984fbd65bba1e2a099f177787057bd61eb83ec29d1a74ad9ee500a26d79c2
Opcode Fuzzy Hash: fbce342c90536dbbb66c6885bb3220323a3a54bba0ceacd67dd57ca6a70beb1b
Instruction Fuzzy Hash: 8A81F530B102158FEB15AF7CD45926E3BA2EF89324F14452AEA16DB3D1DF388D41CB91

Function 0127CDC8 Relevance: 4.6, Strings: 3, Instructions: 824
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0127D90F
$]q, xrefs: 0127D8EC
(o]q, xrefs: 0127DAC9

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID: (o]q$$]q$$]q
API String ID: 0-989248301
Opcode ID: 1e2c1da9dda13ee18e3b20808b246bb7d2d1c3a4e49b17b31e06e5c5ab25e6b0
Instruction ID: c86f7bfced2e9ad9bd24424767b314a8eb710ff0b12a23a5b1ac0a6dd8f2a5ce
Opcode Fuzzy Hash: 1e2c1da9dda13ee18e3b20808b246bb7d2d1c3a4e49b17b31e06e5c5ab25e6b0
Instruction Fuzzy Hash: 22728474A0021DCFEB159BA4C960B9EBB76FF84300F1080ADD54AAB3A6DE345E45DF61

Function 0127BAD8 Relevance: 2.7, Strings: 2, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TJbq, xrefs: 0127BCC2
8bq, xrefs: 0127BC89

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID: 8bq$TJbq
API String ID: 0-3440557903
Opcode ID: 43993fdb4c834cca3a6a296eb2d8d7db96d9a4c174d80c18bc1b2a3d8b98588b
Instruction ID: e39eb63604a36fcc77ef74858b0c9ac965a20ff416d155d5b94099ebd9a1b962
Opcode Fuzzy Hash: 43993fdb4c834cca3a6a296eb2d8d7db96d9a4c174d80c18bc1b2a3d8b98588b
Instruction Fuzzy Hash: 6A515835A101098FDB05DFA8C594EEEBBB6EF88320F155059E601EB3A5CA71ED45CBA0

Function 01272C78 Relevance: 2.6, Strings: 2, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xaq, xrefs: 01272CBE
Xaq, xrefs: 01272C95

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID: Xaq$Xaq
API String ID: 0-1488805882
Opcode ID: cfecefb11b5f81f6ff6a474fe7b082cf5cf956b96648c92ee1153b38917da674
Instruction ID: d1c546de1ac82855dd589144cca5252f95c3f94355f86296f3c0fc222e7d6f17
Opcode Fuzzy Hash: cfecefb11b5f81f6ff6a474fe7b082cf5cf956b96648c92ee1153b38917da674
Instruction Fuzzy Hash: 1531F435B24326CBEF1D4AA9999527F6AA6FFD4200F15403EDA02C7395EFB8CC468351

Function 0127BBB1 Relevance: 2.6, Strings: 2, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TJbq, xrefs: 0127BCC2
8bq, xrefs: 0127BC89

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID: 8bq$TJbq
API String ID: 0-3440557903
Opcode ID: 5f5bdedf1e3ae42942043a244f944d4ede0b58da2e01471cf8209f2482ca99cb
Instruction ID: 6ead3c1a318ed796181985be930285608cec8726b9eb983f44aa0d3947945342
Opcode Fuzzy Hash: 5f5bdedf1e3ae42942043a244f944d4ede0b58da2e01471cf8209f2482ca99cb
Instruction Fuzzy Hash: E7313535B501098FCB45DFA8C580EEEBBB6EF88320F195454E505AB3A5CA70EC85CBA1

Function 0127BBE5 Relevance: 2.6, Strings: 2, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TJbq, xrefs: 0127BCC2
8bq, xrefs: 0127BC89

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID: 8bq$TJbq
API String ID: 0-3440557903
Opcode ID: 825f48be5d7340d1effc8ca37465e1ff2d95b4560a4b33d04a85635592f799ee
Instruction ID: 34ca88cd24b365a94551d1e5a59cdcbdfd82fb28e36e4a9f48f3858711ab0c8b
Opcode Fuzzy Hash: 825f48be5d7340d1effc8ca37465e1ff2d95b4560a4b33d04a85635592f799ee
Instruction Fuzzy Hash: 24313735B501098FCB45DFA8C590EDEBBB6EF88320F155454E505AF3A5CA70EC45CBA1

Function 06354944 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 06354A86

Memory Dump Source

Source File: 0000000D.00000002.3450597815.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6350000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2d7937bcbe4b7cc958e308bf9f4298ce14b3af9e1f553675bac1ec09dee311bd
Instruction ID: 3f29e196fc5bd1ae9e553f2dd113e103126b3ce2e5e1ff8f2684ad3468b4a583
Opcode Fuzzy Hash: 2d7937bcbe4b7cc958e308bf9f4298ce14b3af9e1f553675bac1ec09dee311bd
Instruction Fuzzy Hash: DF115974E011099FDB88DBA8D884EADBBF9EB88305F558124E814A7242D730E981CB94

Function 01270B20 Relevance: 1.5, Strings: 1, Instructions: 210COMMON

Download Yara Rule

Strings

LR]q, xrefs: 01270B62

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 7bedfa4df120a5b94a845a0b8eab1ba5175bbadb04c6e8dc833c89705f2635fe
Instruction ID: b36cdb415bc6323d6187a6e51c6e054763de66488d42a855bcbe7e94eb13c9d3
Opcode Fuzzy Hash: 7bedfa4df120a5b94a845a0b8eab1ba5175bbadb04c6e8dc833c89705f2635fe
Instruction Fuzzy Hash: D5A12D74A4021ACFCF05EFA8FA8599EBBB5FF44309B104529D405AB769DB346E09CF81

Function 01270B30 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

LR]q, xrefs: 01270B62

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: bd07b837b81223e297c9caa1d160792a06875bad40c9663bdab7743ed47d6bcf
Instruction ID: 5a37457842a51fdb046c6ab3d67d716dab5d45443104ce24892227780fbc59ee
Opcode Fuzzy Hash: bd07b837b81223e297c9caa1d160792a06875bad40c9663bdab7743ed47d6bcf
Instruction Fuzzy Hash: E8A10C74A4021ACFCF04EFA8FA8599EBBB5FF48309B104525D405AB769DB74AE05CF81

Function 0127BFF0 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

Haq, xrefs: 0127C085

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: 7eec6282d7258c58a80054657a1abfdcabd30f96d2be594b8e5737cd891cebc6
Instruction ID: 0c9e414d313d3e6b48f7a4c8b093a3d6931b4834b9db920c539595e72112534a
Opcode Fuzzy Hash: 7eec6282d7258c58a80054657a1abfdcabd30f96d2be594b8e5737cd891cebc6
Instruction Fuzzy Hash: 7E31E530B102099FDB49AF78D8455AF7BEAEF89200F1044B9E509DB351DE34DE02CBA1

Function 0127C888 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

4']q, xrefs: 0127C903

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 77d34d593601d5503122c9d2e1cb31d2e81f16252ffba44e987deeef1ebfb854
Instruction ID: 569e339615949e0039158437d28b8a784ea78f7e2019163eb7fc6c2d633c9859
Opcode Fuzzy Hash: 77d34d593601d5503122c9d2e1cb31d2e81f16252ffba44e987deeef1ebfb854
Instruction Fuzzy Hash: 6141487461021ADFCB15DF29D948AAE7BB6BF48310F050069EA168B3A1C774DD61CB90

Function 0127C140 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

Haq, xrefs: 0127C18E

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: f46a1e23985154e396c90802aa6aa4629699ab00b31762b720ba7bf6d9416958
Instruction ID: 015239755b86bc4c2d1d63b1dfcf709983aa0b2a475c2a0aa912d537241752ea
Opcode Fuzzy Hash: f46a1e23985154e396c90802aa6aa4629699ab00b31762b720ba7bf6d9416958
Instruction Fuzzy Hash: 0D310634710246DFC704EF78D850A2E7BA6FF89300B1080AAD9058B761CE319D52CB91

Function 0127CBC0 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

4']q, xrefs: 0127CC3A

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: e4b2209fd6ffc3623bb547ec6ff3103e318501b14b427eb311aa6eaec1fdbbd4
Instruction ID: 943074c015849241042d107deda796d8e48c17a8468bdf3a380f81a41c2872d4
Opcode Fuzzy Hash: e4b2209fd6ffc3623bb547ec6ff3103e318501b14b427eb311aa6eaec1fdbbd4
Instruction Fuzzy Hash: 7C21D33172425B9BE714DE39998477B7BEAAF95240F09442EEA11C7644DBB0C860C7A0

Function 01274E6D Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70fab9bc2591f18988a4baa8b7bd322f8acfa3c574fd3db72cda772001dbc522
Instruction ID: b7d10451dcd3f33300731a98d335949ac1b9cbdecdea1cde239518197c5c3be1
Opcode Fuzzy Hash: 70fab9bc2591f18988a4baa8b7bd322f8acfa3c574fd3db72cda772001dbc522
Instruction Fuzzy Hash: 4CF015B5429B8A8FD3022B74ACBD2BA7F70EF0BB177492D41E04AC5072DB744406EB01

Function 0127C2D8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac366a38ce42e31ac1302c542c240e6576db5cfb94a5af85692ef5bf1ca09150
Instruction ID: 44fb95de07b4d53de45f30169b843b538cd06f14a383669ec1b5afa86a732d01
Opcode Fuzzy Hash: ac366a38ce42e31ac1302c542c240e6576db5cfb94a5af85692ef5bf1ca09150
Instruction Fuzzy Hash: 7061E372B102079FCB24DB7DD8549AFBBF9EFC8320B14852AE619D7740D631D91187A0

Function 0127CA78 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db0b8da75c5236e831da1f2bc8849b1535243854c31d9a2f9272ebd6372a16f8
Instruction ID: 185ff6aa6cbb9a5a40f645eb20a2d2a2262f4b6209f2aeca05ed140ac6aad75b
Opcode Fuzzy Hash: db0b8da75c5236e831da1f2bc8849b1535243854c31d9a2f9272ebd6372a16f8
Instruction Fuzzy Hash: 4D519D317241138FDB14DF3DD884A7B7BEAEF8861170944AAE60ACB262EB70DC119B50

Function 01279B9F Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 462e00984054af7460fadbf115ee28fee5434da36f02b1a3e85e5598aaeed79d
Instruction ID: c6358cdfd943d24340e4d381a6d12b3c1f0b4d5ea9e1a0e0cb6bcf1e00e39e1f
Opcode Fuzzy Hash: 462e00984054af7460fadbf115ee28fee5434da36f02b1a3e85e5598aaeed79d
Instruction Fuzzy Hash: D74110B183A24A8FF6012B35AAEE17A7F74FB4B323B406C41F11A85D91DF7445899B10

Function 01273168 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78d33e532d38a91127260f79d06a00c192d8e90321bd9687de04c7f909f280d0
Instruction ID: 62e49fcd63a67bfd7769ca8e26e908a9634eb2f8ac0e193e66c6fa07b1f3c480
Opcode Fuzzy Hash: 78d33e532d38a91127260f79d06a00c192d8e90321bd9687de04c7f909f280d0
Instruction Fuzzy Hash: CE41B374E11219DFDB08DFAAD98499EBBF2BF89310F249429E405BB364DB30A945CF14

Function 0127CCAB Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d76fb42a6b8f864a5b93f699fd576ca9e2ac624627dd49f2a8101c78e562001
Instruction ID: 5ceb84a4458436eabb74de5f6b82422da3ced3e05b23baa84e9da2363e90667d
Opcode Fuzzy Hash: 6d76fb42a6b8f864a5b93f699fd576ca9e2ac624627dd49f2a8101c78e562001
Instruction Fuzzy Hash: 8421F5313242038FDB2A2B3D885857F3E97AFC9645714407AD706CB3A6EA78CC12D751

Function 0127DAF9 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b738b777ce16fe6df90992f1ebbb54d83f9ec5054fe1b802096ef343a7a0419
Instruction ID: 423297efb0f3cf886a37807a8ac1e9ba33ae41727addebd80f0e44034b4be8ee
Opcode Fuzzy Hash: 2b738b777ce16fe6df90992f1ebbb54d83f9ec5054fe1b802096ef343a7a0419
Instruction Fuzzy Hash: 05316E70A106098FCB04CFACC8889AFBBB6FF85310B198559E555DB3A6DB349C42CB94

Function 0127CCB8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a210f818df9873e2c4a91a4aa5836e9bde6dd233fb96ef98a98bedb6e8b9e992
Instruction ID: 6748d6b25ad0c365a53ab5e44229ccc4ce50eda54a5e9003c7dafa717121877c
Opcode Fuzzy Hash: a210f818df9873e2c4a91a4aa5836e9bde6dd233fb96ef98a98bedb6e8b9e992
Instruction Fuzzy Hash: 8F21C2303242038BEB29263DC85867F3997AFC5645F148079D706CB395EA79CC52D791

Function 012718C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0127bf7cf0e5a599f135432bba43f256e096402277419534fa028c1237d7dc2
Instruction ID: 66f84ac90135ffef3cf7e9f1fa87c44e3db540d7edf42b988a50b09e542b8ba0
Opcode Fuzzy Hash: e0127bf7cf0e5a599f135432bba43f256e096402277419534fa028c1237d7dc2
Instruction Fuzzy Hash: 7521AF35A00116DFCB14DF68C8409EF37A5EF89664B24C419E90D9B384EB34EA0BCBD2

Function 0127FDA8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21a101fd11b597cf25362430a7effd3f641c36c05938f9b69f98c5e12f3545a0
Instruction ID: 9ce2584e547e61de34fc8ad926d8c14a4d216fdae8ad19a55793d8bc7a583071
Opcode Fuzzy Hash: 21a101fd11b597cf25362430a7effd3f641c36c05938f9b69f98c5e12f3545a0
Instruction Fuzzy Hash: 9E21A8767051059F9744DF1DE5408AABBE9FFC9224314C42FE919C7341EA32D906CB60

Function 00F8D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3443551799.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f8d000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1a81f06eeb940ced8743ed2f1615c725244c758bb77d10c7651d4af56a8cf8e
Instruction ID: ee5cc6965c8e2b0776c82702f7c140c3e36cb45fce1ecbf5cf37f2b23dd86501
Opcode Fuzzy Hash: f1a81f06eeb940ced8743ed2f1615c725244c758bb77d10c7651d4af56a8cf8e
Instruction Fuzzy Hash: FE21F271604204DFDB14EF14D980F66BBA5FF84324F24C669D90A4B29AC33AD846EB62

Function 00F8D005 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3443551799.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f8d000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77a18f53b64e1fa4e86a1372af440f0a7f52f4ecf544aeb9faa763e68ea5a4ef
Instruction ID: 3090c96cc8fd17f9f0ca90da19431c30e20487d03802bbbd3189d57ce256260b
Opcode Fuzzy Hash: 77a18f53b64e1fa4e86a1372af440f0a7f52f4ecf544aeb9faa763e68ea5a4ef
Instruction Fuzzy Hash: 4F214D7150D3C09FDB03DB24D994711BF71AF46224F29C5DBD8898F2A7C23A980ADB62

Function 01270EC8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55426cbce571f2754c0d3d09b38b19cd5d3a0e0eebed0b6d56a91a6ce9df647f
Instruction ID: 79424df637c12d065af9877990fb12cd4f766c7e5eaa7196c6c1dea4cd0aa74d
Opcode Fuzzy Hash: 55426cbce571f2754c0d3d09b38b19cd5d3a0e0eebed0b6d56a91a6ce9df647f
Instruction Fuzzy Hash: 82218370E152099FDB09EFB9C4456AEBBB2EF86304F00C4B9E4085B395EB749906CF51

Function 01279D32 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fd816da3825c017ec90daefaeb84b4fe99b819080bf097856006ca8e9f98670
Instruction ID: d3691a5a14c434d083b8861658668f1221ddf1676feaabec811b4455eb6b0477
Opcode Fuzzy Hash: 2fd816da3825c017ec90daefaeb84b4fe99b819080bf097856006ca8e9f98670
Instruction Fuzzy Hash: 7321D37091420A8FEB42EFB8DA9869FBFB5FF02305F408994E0089B695DB354A45CB41

Function 012717B8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50dc0bd552ca12397e6691e1f4c719b2ebc787119025db892effac0c9d43bddb
Instruction ID: 8e5b8da4a35c9af53772d29837f18c0c2897bd33088ea4f017d3c70907d38f00
Opcode Fuzzy Hash: 50dc0bd552ca12397e6691e1f4c719b2ebc787119025db892effac0c9d43bddb
Instruction Fuzzy Hash: A02107B0C1520A8FDB01DFB8D9559EEBFF0EF0A314F14516AD405B7261EB345A85CBA1

Function 0127BEA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dd5c60ca2647080ddd51d0b155b06251e095e9bfb021dca1b9a71b891624e7c
Instruction ID: c3d527430cf36f62aff515a212b65e8683080aded9b4ff83865e028f1bd1c28e
Opcode Fuzzy Hash: 5dd5c60ca2647080ddd51d0b155b06251e095e9bfb021dca1b9a71b891624e7c
Instruction Fuzzy Hash: 9E116A323102048FC718DB6EE598E56B7E6FF88721F108469E20ACB771CA71EC05CB61

Function 01275201 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6619d1a844f26746c8ae1bb4bbd8cda599581e034aca98de6807c6ef5b661ca
Instruction ID: 069c7fdc347ce977aeb6208a6615a6620536bcf38f84f0172ac9cdaf9857e53f
Opcode Fuzzy Hash: c6619d1a844f26746c8ae1bb4bbd8cda599581e034aca98de6807c6ef5b661ca
Instruction Fuzzy Hash: 1D01F532B082064FE7115BB9585457B77E7EE84918715447AD509C7251FE38DC028752

Function 0127BE91 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e5b4ee28f166564c81664182899b2ce48d6bcb522b481ea887a789631e941f
Instruction ID: 244a34a6153174fb6300db27891337d628922ce759f0bb438f849224e1801f31
Opcode Fuzzy Hash: f7e5b4ee28f166564c81664182899b2ce48d6bcb522b481ea887a789631e941f
Instruction Fuzzy Hash: 3B11AD323202018FD718CB39E598A56B7E5FF89711F15886AE209CB762CA71EC05CB11

Function 0127BE71 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3838573822f094501e9618b416d47885bb4e5af4e7cfa22caa96a2411c4e7814
Instruction ID: a4e84d5f99949acc8098acde7a6de6de707faa9b296b890499c2f89381e8f25c
Opcode Fuzzy Hash: 3838573822f094501e9618b416d47885bb4e5af4e7cfa22caa96a2411c4e7814
Instruction Fuzzy Hash: F201C0313142018FD709CB39D568A567BB1EF46711F0588AAE246CF7B2C671DC05CB22

Function 01275210 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85f3050d7c245f9045472b38812be052b7629314708978e5d3062570b89408b
Instruction ID: 4c102c3f0ba66a1c2a36c66bf4e19b82ce06b01b22bb3745702e1b78ef6d7bce
Opcode Fuzzy Hash: e85f3050d7c245f9045472b38812be052b7629314708978e5d3062570b89408b
Instruction Fuzzy Hash: FC01D632B043164FDB14AFBD985452FB6EBEFC49687144539DA09C7214FE34DC028792

Function 0127A840 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb1041e66f45fc5c51bb4da074f65f3a2102b360bcaa5d3fe8f845c848901c2
Instruction ID: 19d9d841d57c0173586c926c088f82016b0daff527c32af782d621581162d6d8
Opcode Fuzzy Hash: 8bb1041e66f45fc5c51bb4da074f65f3a2102b360bcaa5d3fe8f845c848901c2
Instruction Fuzzy Hash: E3019E36910119DFEF60DF78D8489EF7FB5EB88220B044129F929D3280DB304A11CB91

Function 0127A850 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c0c12e2e2e80964bace53fd4aef37774271549076fa02d64d48c2e9bfe9b8be
Instruction ID: caec6d7ca257cc4cf9170d50c329862ed1c0a841e9c78042d196bd062afe1103
Opcode Fuzzy Hash: 4c0c12e2e2e80964bace53fd4aef37774271549076fa02d64d48c2e9bfe9b8be
Instruction Fuzzy Hash: 06015E35E10119DFEB149F79D8599AF7FB5EB88310B004539F91AD3280DF348D118BA1

Function 0127C250 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f77f2d342f4676dd76c225fa42e7b641b1012d8b5137eea601c00f4b51b67d
Instruction ID: 1cd95b4a1ad4b922d3bfad59240ff139d8e7172f86bca10253f9ecc3ba88fd89
Opcode Fuzzy Hash: a4f77f2d342f4676dd76c225fa42e7b641b1012d8b5137eea601c00f4b51b67d
Instruction Fuzzy Hash: 51F04C377282448FEF162BBC981946D3FA6DBC9211B154467E609C7781CE39DC43C7A5

Function 0127FD98 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e8e74cbf576b28783e3f4b0f5aeea253610a698f0a17f485e519400ef369458
Instruction ID: f76cf3d88cf11892fa40f3af6ce5bb8d222280b4e104893068775c485b4ac1b3
Opcode Fuzzy Hash: 3e8e74cbf576b28783e3f4b0f5aeea253610a698f0a17f485e519400ef369458
Instruction Fuzzy Hash: 8FF0C272B051169F8741CE7CAA549ABBBEAEBD9254314C52BE559C3381EA31C9038BA0

Function 0127BF80 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6aada8b31f1b97b18fa214ec83bd7afd87a532d9811912d5d823619ebca8151
Instruction ID: b6d0cd8881140b54673ff77202eebff27f8fedc7fd506baca5e78a42891306e0
Opcode Fuzzy Hash: f6aada8b31f1b97b18fa214ec83bd7afd87a532d9811912d5d823619ebca8151
Instruction Fuzzy Hash: 01F0CD307193925FD7125778D51946B3F699F57210B0544E7F642CB693DD359C00CBA2

Function 0127BD31 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba97522d00b98290deacb85a099061f2a25f09fb6af436ed0effb9f7dff80f77
Instruction ID: b127c74400fc4bc0f513b9dded48de8b49dd5b170fd2113d668cbaecb8bc33e7
Opcode Fuzzy Hash: ba97522d00b98290deacb85a099061f2a25f09fb6af436ed0effb9f7dff80f77
Instruction Fuzzy Hash: F3F0F072D102059FCB90DFB9D8859DFBFF5FF5C210B000A2AD508D3210D630A6068B90

Function 0127C508 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5a84c83db02bd364fc68220ff596b834f24783d7f30f3f08227d72454306189
Instruction ID: d322d25e905f315ecf96ffaffc50ffc9b5053aa573298f1a0331884d8f836db5
Opcode Fuzzy Hash: a5a84c83db02bd364fc68220ff596b834f24783d7f30f3f08227d72454306189
Instruction Fuzzy Hash: 7AF0A032B046169F9B199A6EB41496FBBAADFC5661714407AE608DB3A0CE32DC0287D4

Function 0127BF38 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64bd5aee9976baf9fda89775913fb0b0a3a9c77cc9187658b412c0249ab948fe
Instruction ID: 402a1de20f91584eb5a13049bcf258014ac966e09e93260933f4d830421167a4
Opcode Fuzzy Hash: 64bd5aee9976baf9fda89775913fb0b0a3a9c77cc9187658b412c0249ab948fe
Instruction Fuzzy Hash: 48F0BE7A3502008FD3489BB4E458D55BB71EB99721B0140A6E609CB3B2CA32EC06CB51

Function 0127BD40 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab53daf627e8268a5bc9a57308230dd2c4e1b244c95bfbfb413d69e8fa57c29
Instruction ID: 0100847da6304d6be4715af7968eda6e3119c1e0be9caaa65fed6b26fcf63389
Opcode Fuzzy Hash: 1ab53daf627e8268a5bc9a57308230dd2c4e1b244c95bfbfb413d69e8fa57c29
Instruction Fuzzy Hash: EBF08272D002099F8B50DFAED8419AFBFF9FF98350B40453AD609D3210E6709915CBE1

Function 0127BF70 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a29b1cb925dd8e6ed603ad4ab76b3b1c9dbec64f523df474f3033c08ec0ebf15
Instruction ID: 7968fe2be5d2a57f43f6ced59461dc795fb4a5694cf31c2509ec1c7226f71acb
Opcode Fuzzy Hash: a29b1cb925dd8e6ed603ad4ab76b3b1c9dbec64f523df474f3033c08ec0ebf15
Instruction Fuzzy Hash: CFE0D8367292125FE750A7BCC5558AABF64DFA6750B0848A6FA00C7661D531AC0087E2

Function 01275088 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1a8a52d1ac17690e58fd7a1fc7a3ce13466095e2a7ed6b54fe14aa3a3e21f1
Instruction ID: 2eac10cd5a9b75dc9ca7292ed62ed9540062cd8543f0471d7c54e2986dc16a27
Opcode Fuzzy Hash: 5e1a8a52d1ac17690e58fd7a1fc7a3ce13466095e2a7ed6b54fe14aa3a3e21f1
Instruction Fuzzy Hash: DBE09274021B0B8FD3102B64B8AC2BEBA65EB0BB27B842D00A10E840319B744844EB45

Function 01271877 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49cc8bfa6a9e61906ecd6ff45b80ea0aea0b1bd4827a05b1469d081b1702be49
Instruction ID: 35f389a1cdf2ae62b9d1be3a0f922408c0f9e34d4b49c65eb508b35dfcb6ad64
Opcode Fuzzy Hash: 49cc8bfa6a9e61906ecd6ff45b80ea0aea0b1bd4827a05b1469d081b1702be49
Instruction Fuzzy Hash: CFE02635D20226CFD702ABB0A9410DDB334ED81210B158113C06C37150EB30260F8AA1

Function 0127BAD6 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e1611789710361a35b5c6cdc6d3364a3a97205b843a9f6fed076764f2f2a5fa
Instruction ID: 597ee307635d72ca11443ccf9c0a1870424d3c0e59fe051603b1525583da00f7
Opcode Fuzzy Hash: 3e1611789710361a35b5c6cdc6d3364a3a97205b843a9f6fed076764f2f2a5fa
Instruction Fuzzy Hash: 25E08C373111208FC3148E9DE484C6ABBA9FF9C62A319047AF609CB320CA71DC01CB90

Function 01271888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87ed400801cd32cb914a3ed73ceebbbca8308121e61587d34d281e99c5232ac2
Instruction ID: 2d6707e3fd42b7d1f3103e89c27e73df1d19edefd0e9b4ef59037cf632b731a8
Opcode Fuzzy Hash: 87ed400801cd32cb914a3ed73ceebbbca8308121e61587d34d281e99c5232ac2
Instruction Fuzzy Hash: 67D05B31D2022B97CB11E7A5DC044DFF738EED5265B504626D51837140FB703659C6E1

Function 0127325B Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e24a8204f1ea475f0c827de4d44086ffdbaae1fe36b2f5c124e3916d83f7770
Instruction ID: ddfa247960e1af7cd8f73cfed0d212b52af7b8f594dfd5f4c5848b2fda06aab0
Opcode Fuzzy Hash: 9e24a8204f1ea475f0c827de4d44086ffdbaae1fe36b2f5c124e3916d83f7770
Instruction Fuzzy Hash: 74E02D78E4420DCFCF10DFA9E64589DBBB9FB45305B109066E829AB210D6785A11DF51

Function 0127D9FD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ecab58df06a07d55259088f976b819bc47675da4a16b3d06eb66ec557c962bf
Instruction ID: 2945dbe162317cc3e8c77543685ea228589ddf39cb8d51086837da2fb9f3f5a8
Opcode Fuzzy Hash: 4ecab58df06a07d55259088f976b819bc47675da4a16b3d06eb66ec557c962bf
Instruction Fuzzy Hash: 44D0677AB400189FCB149F98E8449DDBBB6FB98221B048116EA16A3261C6319921DB50

Function 0127BF48 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6fed29dab3c3100500799710f2832a0c171004ba5941c6f0e2f53ec590ac03a
Instruction ID: 5dba8242b0baae8e7200fca7c23e3ed61b63daea788e99144cd3f7f2ddc8621a
Opcode Fuzzy Hash: c6fed29dab3c3100500799710f2832a0c171004ba5941c6f0e2f53ec590ac03a
Instruction Fuzzy Hash: B5D0A7353502158FD304AB74E418C6577A9EF4867470140A5F50A8B362CE71DC0087C1

Function 0127A8A2 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e3a2d824d9bfa63a6d776cf2435f69179fa16ce36683e4c5d7b4e47c6f5015
Instruction ID: e2e74bd56f476f522729aa8f9bf54dcdffe488f1e7fb398d47caf336fcddc793
Opcode Fuzzy Hash: 74e3a2d824d9bfa63a6d776cf2435f69179fa16ce36683e4c5d7b4e47c6f5015
Instruction Fuzzy Hash: 12C09B37F75415C76915555874054DEF720D5C0235B5445A3E31247045D77106277695

Function 012751E0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccefe9801f5dde268a6d0ec5d6e7a5e6f6ff744ddba0e79d2dfd49f5d4ec1458
Instruction ID: 46e5662d6592e9d9832810fc5148a17e1797db607fc13fbf92f6a0104a0ac65c
Opcode Fuzzy Hash: ccefe9801f5dde268a6d0ec5d6e7a5e6f6ff744ddba0e79d2dfd49f5d4ec1458
Instruction Fuzzy Hash: C6B09BA548D7804FDB02536025750967F2194565053164185C44446053851C55078721

Non-executed Functions

Function 01271A40 Relevance: 5.1, Strings: 4, Instructions: 93COMMON

Download Yara Rule

Strings

Xaq, xrefs: 01271B7C
Xaq, xrefs: 01271A76
Xaq, xrefs: 01271AB0
Xaq, xrefs: 01271B2F

Memory Dump Source

Source File: 0000000D.00000002.3444050511.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1270000_eVjuqWQWhLhEQl.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq
API String ID: 0-4015495023
Opcode ID: 4e315099778f28f2659d8ae561844a7737fcc461c04e7402cd21a0de1f306a2e
Instruction ID: d2f8b9721af45b009e36dca260f953bea9998e5bae66b7fc9d4795a05957308b
Opcode Fuzzy Hash: 4e315099778f28f2659d8ae561844a7737fcc461c04e7402cd21a0de1f306a2e
Instruction Fuzzy Hash: A331C330E1031B8BDF699F6C854137FBBE6BF85210F1540A9C655A7295EF30C981DB92

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SOA.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SOA.scr.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eVjuqWQWhLhEQl.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1wbyuppv.0iw.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_he420c4a.tpp.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_njhfenlg.bxn.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ukcgwvlj.npw.ps1

C:\Users\user\AppData\Local\Temp\tmp2349.tmp

C:\Users\user\AppData\Local\Temp\tmp2E55.tmp

C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe

C:\Users\user\AppData\Roaming\eVjuqWQWhLhEQl.exe:Zone.Identifier

Static File Info

General

Windows Analysis Report
SOA.scr.exe

Function 015079D9 Relevance: .2, Instructions: 245
COMMON

Function 01504204 Relevance: .2, Instructions: 241
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre