Joe Sandbox Cloud Basic Analysis Report
Create Interactive Tour

Analysis Report S.O.A.exe

Overview

General Information

Sample Name:S.O.A.exe
Analysis ID:332654
MD5:a6d0bfb43331260ddd40edf9e56c3ea7
SHA1:433fb43d945c7d9165f7fdc021ed183758a2e409
SHA256:72c0ad709b6103880afe20c11163d0c27180c8188a492dd424bc613d6bd78c34
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large array initializations
.NET source code contains very large strings
Binary contains a suspicious time stamp
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to detect virtual machines (SGDT)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Startup

  • System is w10x64
  • S.O.A.exe (PID: 5332 cmdline: 'C:\Users\user\Desktop\S.O.A.exe' MD5: A6D0BFB43331260DDD40EDF9E56C3EA7)
    • S.O.A.exe (PID: 5752 cmdline: C:\Users\user\Desktop\S.O.A.exe MD5: A6D0BFB43331260DDD40EDF9E56C3EA7)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{
  "Username: ": "IUL4p0okN",
  "URL: ": "https://E0SAJds8rU.net",
  "To: ": "",
  "ByHost: ": "mail.hybridgroupco.com:587",
  "Password: ": "YT6bV8tGj",
  "From: ": ""
}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.575043242.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.580495926.0000000002DD0000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.246901436.0000000004411000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000002.580160688.0000000002D51000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000001.00000002.580160688.0000000002D51000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.S.O.A.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              • AV Detection
              • Software Vulnerabilities
              • Networking
              • Key, Mouse, Clipboard, Microphone and Screen Capturing
              • System Summary
              • Data Obfuscation
              • Hooking and other Techniques for Hiding and Protection
              • Malware Analysis System Evasion
              • Anti Debugging
              • HIPS / PFW / Operating System Protection Evasion
              • Language, Device and Operating System Detection
              • Stealing of Sensitive Information
              • Remote Access Functionality

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configuration
              Source: S.O.A.exe.5752.1.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "IUL4p0okN", "URL: ": "https://E0SAJds8rU.net", "To: ": "", "ByHost: ": "mail.hybridgroupco.com:587", "Password: ": "YT6bV8tGj", "From: ": ""}
              Multi AV Scanner detection for submitted file
              Source: S.O.A.exeVirustotal: Detection: 59%Perma Link
              Source: S.O.A.exeReversingLabs: Detection: 12%
              Machine Learning detection for sample
              Source: S.O.A.exeJoe Sandbox ML: detected
              Source: 1.2.S.O.A.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
              Source: global trafficTCP traffic: 192.168.2.7:49749 -> 66.70.204.222:587
              Source: Joe Sandbox ViewIP Address: 66.70.204.222 66.70.204.222
              Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
              Source: global trafficTCP traffic: 192.168.2.7:49749 -> 66.70.204.222:587
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_0278A09A recv,
              Source: unknownDNS traffic detected: queries for: mail.hybridgroupco.com
              Source: S.O.A.exe, 00000001.00000002.580160688.0000000002D51000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: S.O.A.exe, 00000001.00000002.580160688.0000000002D51000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: S.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: S.O.A.exeString found in binary or memory: http://tempuri.org/TailoringBusinessDataSet.xsd
              Source: S.O.A.exe, 00000001.00000002.580160688.0000000002D51000.00000004.00000001.sdmpString found in binary or memory: http://vLHwJU.com
              Source: S.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: S.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: S.O.A.exe, 00000000.00000003.235919953.0000000005BC6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: S.O.A.exe, 00000000.00000003.235919953.0000000005BC6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTFi
              Source: S.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: S.O.A.exe, 00000000.00000003.234163678.0000000005BDF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
              Source: S.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: S.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: S.O.A.exe, 00000000.00000003.235010380.0000000005BD2000.00000004.00000001.sdmp, S.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: S.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: S.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: S.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: S.O.A.exe, 00000000.00000003.235919953.0000000005BC6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersx
              Source: S.O.A.exe, 00000000.00000003.235919953.0000000005BC6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
              Source: S.O.A.exe, 00000000.00000003.235919953.0000000005BC6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsm
              Source: S.O.A.exe, 00000000.00000003.235919953.0000000005BC6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
              Source: S.O.A.exe, 00000000.00000003.235919953.0000000005BC6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
              Source: S.O.A.exe, 00000000.00000003.244593533.0000000005BC0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
              Source: S.O.A.exe, 00000000.00000003.244593533.0000000005BC0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
              Source: S.O.A.exe, 00000000.00000003.227005789.0000000005BFD000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: S.O.A.exe, 00000000.00000003.228033596.0000000005BC3000.00000004.00000001.sdmp, S.O.A.exe, 00000000.00000003.228214275.0000000005BD1000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: S.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: S.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: S.O.A.exe, 00000000.00000003.228101707.0000000005BC3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn1
              Source: S.O.A.exe, 00000000.00000003.228033596.0000000005BC3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnNd
              Source: S.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: S.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: S.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: S.O.A.exe, 00000000.00000003.230261537.0000000005BC6000.00000004.00000001.sdmp, S.O.A.exe, 00000000.00000003.230998214.0000000005BC6000.00000004.00000001.sdmp, S.O.A.exe, 00000000.00000003.230563547.0000000005BC6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: S.O.A.exe, 00000000.00000003.230702209.0000000005BC6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//v
              Source: S.O.A.exe, 00000000.00000003.230702209.0000000005BC6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/5
              Source: S.O.A.exe, 00000000.00000003.230998214.0000000005BC6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i
              Source: S.O.A.exe, 00000000.00000003.230998214.0000000005BC6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ital
              Source: S.O.A.exe, 00000000.00000003.230261537.0000000005BC6000.00000004.00000001.sdmp, S.O.A.exe, 00000000.00000003.230702209.0000000005BC6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
              Source: S.O.A.exe, 00000000.00000003.234905032.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
              Source: S.O.A.exe, 00000000.00000003.226870433.000000000180D000.00000004.00000001.sdmp, S.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: S.O.A.exe, 00000000.00000003.226870433.000000000180D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com9d
              Source: S.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: S.O.A.exe, 00000000.00000003.231783394.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comH
              Source: S.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: S.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: S.O.A.exe, 00000000.00000003.229947452.0000000005BDB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comU
              Source: S.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: S.O.A.exe, 00000000.00000003.233948310.0000000005BDF000.00000004.00000001.sdmp, S.O.A.exe, 00000000.00000003.236389742.0000000005BDF000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
              Source: S.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: S.O.A.exe, 00000000.00000003.236389742.0000000005BDF000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deF
              Source: S.O.A.exe, 00000000.00000003.229145416.0000000005BCE000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: S.O.A.exe, 00000001.00000002.580495926.0000000002DD0000.00000004.00000001.sdmp, S.O.A.exe, 00000001.00000002.580661618.0000000002E43000.00000004.00000001.sdmpString found in binary or memory: https://E0SAJds8rU.net
              Source: S.O.A.exe, 00000001.00000002.580160688.0000000002D51000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
              Source: S.O.A.exe, 00000001.00000002.575043242.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
              Source: S.O.A.exe, 00000001.00000002.580160688.0000000002D51000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
              Source: S.O.A.exe, 00000001.00000002.575043242.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: S.O.A.exe, 00000001.00000002.580160688.0000000002D51000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
              Source: S.O.A.exe, 00000000.00000002.245548567.00000000013DA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              System Summary:

              barindex
              .NET source code contains very large array initializations
              Source: 1.2.S.O.A.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bA01272EAu002d564Bu002d4A9Cu002dAC9Fu002d821796E7C77Fu007d/u0038EFB8C04u002d8A9Cu002d4994u002d8CFBu002d16B96781E79B.csLarge array initialization: .cctor: array initializer size 12005
              .NET source code contains very large strings
              Source: S.O.A.exe, Form1.csLong String: Length: 95584
              Source: 0.2.S.O.A.exe.c40000.0.unpack, Form1.csLong String: Length: 95584
              Source: 0.0.S.O.A.exe.c40000.0.unpack, Form1.csLong String: Length: 95584
              Source: 1.2.S.O.A.exe.5f0000.1.unpack, Form1.csLong String: Length: 95584
              Source: 1.0.S.O.A.exe.5f0000.0.unpack, Form1.csLong String: Length: 95584
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_0278B0BA NtQuerySystemInformation,
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_0278B089 NtQuerySystemInformation,
              Source: C:\Users\user\Desktop\S.O.A.exeFile created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.newJump to behavior
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 0_2_00C49EC0
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 0_2_00C4B0E0
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 0_2_00C4648A
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 0_2_05510B08
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 0_2_0551D14F
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 0_2_0551D160
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 0_2_05510AF8
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 0_2_07740E71
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 0_2_07740070
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 0_2_07740007
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 0_2_077470E0
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 0_2_05514AD0
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 0_2_05514AD8
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_029D0A98
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_029D6480
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_029DD0D0
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_029D9394
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_029DAFE8
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_05933E88
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_059338F8
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_05931AF8
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_059F5740
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_059F1C0F
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_059FC388
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_059F5ED8
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_059FC078
              Source: S.O.A.exe, 00000000.00000002.245548567.00000000013DA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs S.O.A.exe
              Source: S.O.A.exe, 00000000.00000000.225347291.0000000000D50000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCLRIReferenceArrayImpl.exe@ vs S.O.A.exe
              Source: S.O.A.exe, 00000000.00000002.251030920.0000000006D60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs S.O.A.exe
              Source: S.O.A.exe, 00000000.00000002.246366322.0000000003411000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamewaxkhngnqaTOvZFOhVYBxplbssCrroPmXyrvm.exe4 vs S.O.A.exe
              Source: S.O.A.exe, 00000001.00000000.244118538.0000000000700000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCLRIReferenceArrayImpl.exe@ vs S.O.A.exe
              Source: S.O.A.exe, 00000001.00000002.575043242.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamewaxkhngnqaTOvZFOhVYBxplbssCrroPmXyrvm.exe4 vs S.O.A.exe
              Source: S.O.A.exe, 00000001.00000002.581963587.0000000005120000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs S.O.A.exe
              Source: S.O.A.exe, 00000001.00000002.582525516.00000000058C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs S.O.A.exe
              Source: S.O.A.exe, 00000001.00000002.582407453.0000000005600000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs S.O.A.exe
              Source: S.O.A.exeBinary or memory string: OriginalFilenameCLRIReferenceArrayImpl.exe@ vs S.O.A.exe
              Source: S.O.A.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: S.O.A.exe, EnumeratorDropIndices.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 0.2.S.O.A.exe.c40000.0.unpack, EnumeratorDropIndices.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 0.0.S.O.A.exe.c40000.0.unpack, EnumeratorDropIndices.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 1.2.S.O.A.exe.5f0000.1.unpack, EnumeratorDropIndices.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 1.2.S.O.A.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 1.2.S.O.A.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: S.O.A.exe, Form1.csBase64 encoded string: 'i7wVnbQy0FIXyN4Ta4hgynZhSMbW8WRj7tuPXCHztg7uaWw25PoLrO5pbDbk+gus7mlsNuT6C6wm+zibRbDkL0aegJHVq+mr1W/lRhoG0ygUdwxUjpeU/M3ZcE0NngzGvoh16d6NviwgUoh0lVuEdWggxxRnRB3w4GX9e3p8i+t9uKAd2GsRtNx+n41ZHfw8t0ywdpfcrTU1LfcEKyRSP+N6eQYn++2Mm6k6Bg+CGdm/AoH8m3GHGfo/A3HZIkC9eZKcU9Rx89d5kpxT1HHz13X1O5rWzYcmaGxo372jeVBQS0F6ByQ4e1BLQXoHJDh7SnD7hyR6nKruaWw25PoLrIAU9RpJ/2hQDhzUMhuC4ePuaWw25PoLrO5pbDbk+gusa5gQFRuce8zuaWw25PoLrO5pbDbk+gus7mlsNuT6C6zuaWw25PoLrO5pbDbk+gus7mlsNuT6C6zt2g4jR9v9f+5pbDbk+gus+KL6eTm1C5TuaWw25PoLrHLxNK6iR6mrFWwkgcFvhJO+kWD7kMzRf+5pbDbk+gusPE8wDBvq49b9v0NMR61B7f2/34+6qyed3awT84eaXwbuaWw25PoLrAwJFUUosnhjhZl35N0Gfs8gtHpV1fi+aOCqA0/I0z647mlsNuT6C6xOOOSEXoYfXu5pbDbk+gus7mlsNuT6C6yam641oZ6I3j26nSmYB/x3MdafblAoFd6gMtN54lfVzO5pbDbk+gus7mlsNuT6C6zuaWw25PoLrO5pbDbk+gus7mlsNuT6C6zuaWw25PoLrChMT3Zyu13PbjB9lZHMmuRHeIAafFph1ZLK24YqtFKKEinnWpr85lLHgGBhw0ugj2my74mvq+in56lGLX9Nn1iMz7g/8LPf07/2lynEVNpQbmaYSz8618xRS3y90/Mui6eHTLnGiNDmpB7hoEVzU0AI5AO9mzGpqBNRd1CpUVyg2uStOwERH1DjH2Q0RH6FNiufhGE2d8hOzEH/HhJ+4AlTY1/s81xL81CO2SvAfsLLeFEonnF2F+vM22sPB57G/9qY8KlbW9KUYJZhc8+B8+E67HBNU3qwHPRcthCeHo2nlj8pbo9h4BJE/qD8t0CjspwbWUflcBXkZ0AANLPHhVAg+u6u8X2KFgAu8HDDWda6VFMm7ycxWhtYwGblh+uxVxSCAwQI3GzjYCzD9/L/w7EzISImtjkuQBQnFZVTtBA9orAFWAaN2sDrcix909HOv1X/a9NB0sH7c5rxTWA/YxSfA5UcmN05/gY2p2AdeHCoDdo1yEhbI9gDmQLyDpLUSH8c/1V/2Lv9UOyCkZy3IQjUu4EWQ5Rta6rz791u9hfBetyyMSFwbWbaWj27JMsDGKqiNwSJ9j8qap6xUMrhg1AR5aBw+a62Q9KMd1pRSkpuE966kqicy0EbDJzHh3ChI2FClHp3uKgl3TWI3+IpUPwSJuhmAbwEE4srpic6BheuUNo8+fNjfdQoNmsmMzMpV/yD2DDmGK+2pH8yb4bliVaek0qzoakezPaWDfJDRaVgyOI9h1lKYykjbSJ42cJtY0qCCQndUKkqPcYeTr86059InpeFCwNqCVqNBT35+G/WIYsaWFNK3ZuMXTpnN8EyUPOImInTGSG+EKPxIpbOrdIoIz0Ug+gPHQ2EohIiHgKoTZaRuKRifZrSmoEw09l+Z9qCDGTkeOxYo9/iZ1m2nl9HWd7iPoZuYih8P43OfHqFMeejDgWnxduyGBwV+vrJsBxqSRpvhblxkeVw24gGbyuuwNsV0zK4JapYiApIISnqTwNfmsLNoCzSVfh96BGZYLCN2HkqxBQtjhWLdnPn/vNLyJkC6UFrIrgQ5VrJOAyyj7a56pA1clvc2IWUNL7+IeV7xjvXgRxC6WCC2OGnTSs2lYUUUaEiIes1AF3zGjVaGlkcJITNBE+ofirpWya4y9kkGZRAMgW9TmeCGuir0SbUG5RIDrMHVuXGTNWgnDQmgl6VVsOCYuYLRbxvGKhIe19IsCK5i5sThPDQwbwrB4ExF+J9NgN+8XofGnEoDuryn3G0YnxDatBAOdZ2dMd0ou7xfcDvE19YvLKCwNvv6RYexvswdTqCkLu7o13fenS6D28hVrTc1cDFuqszASHB3mzkrPBCfdMRcXha89j9A1L/nQvlzxuwQipX0/0FjRUEWdjc3Gf0jwDMdKQdv1qXbtJVxs/V4ILuMEVOEQ6KtdjJEXAJLUk54D/tLiAxY5f2llSi7di4infkJrB47Mm9/uqJJPF8AfLvVJROrp+TOojEzJaVtFZWmEbUd1k64eIlYC9XBZgwspxBDGSygxw66HkBeoixyXhFfLNVx2hRqVspqSACNrXq8b4iTrLLPX/5Kt9yMoE5MgkndzrdElJv5ABpW9E2hUAlm2R/fXaEpn6bip+Ct8CpLwkGwnERpeZIDHw0Qa26XDm3Di8WkwEF7RIcfCU/Ldv93mZCPj8+Iful1nbB6ve7npqf4jGOBwhsPkdIkknLaqbs6VaCUxForNWAostZh/PSK98/SS4wHI019ucMUPwbsdFBU8bNkEedpl8ifh31OM18XpNuTiIjewMQZzHPORyUSKVMMvtWhswYPQ1r2/VyYB5R4j08c04VmDDxuq1H8hX/pM9VdgojkrD8UxF3HFnD4+c8hVu7N8EWuufMT1HxoeZGxJQgRbO62qHNwi254Oiv2DBpYg2Z3oWTOyHY5cgv1AOtVw4FOilZiPwvIx1iTH3rlym5kswwq5cl2GyZvUqXrhnrtXfRX41mj1XnBygsSBWN/UmV5X7TO73OY5R82P3TcejS57We9spcGSP8gLt+LHNz4xaWi8gIVWY9Gz7MrMF25bHWxpirdVP07sB+LzwyTMafvrm8UzHpEWYWn/gCA8Dgs9fDJznac5oNRnnfmYmzZ0o6D3J3KcxLRunkhTDRa3qAiPNf7vvyNmPrhaoumtF0SY561lpPkpUKFu1m11ziLMde96kqGQLKoDQXPcd
              Source: 0.2.S.O.A.exe.c40000.0.unpack, Form1.csBase64 encoded string: 'i7wVnbQy0FIXyN4Ta4hgynZhSMbW8WRj7tuPXCHztg7uaWw25PoLrO5pbDbk+gus7mlsNuT6C6wm+zibRbDkL0aegJHVq+mr1W/lRhoG0ygUdwxUjpeU/M3ZcE0NngzGvoh16d6NviwgUoh0lVuEdWggxxRnRB3w4GX9e3p8i+t9uKAd2GsRtNx+n41ZHfw8t0ywdpfcrTU1LfcEKyRSP+N6eQYn++2Mm6k6Bg+CGdm/AoH8m3GHGfo/A3HZIkC9eZKcU9Rx89d5kpxT1HHz13X1O5rWzYcmaGxo372jeVBQS0F6ByQ4e1BLQXoHJDh7SnD7hyR6nKruaWw25PoLrIAU9RpJ/2hQDhzUMhuC4ePuaWw25PoLrO5pbDbk+gusa5gQFRuce8zuaWw25PoLrO5pbDbk+gus7mlsNuT6C6zuaWw25PoLrO5pbDbk+gus7mlsNuT6C6zt2g4jR9v9f+5pbDbk+gus+KL6eTm1C5TuaWw25PoLrHLxNK6iR6mrFWwkgcFvhJO+kWD7kMzRf+5pbDbk+gusPE8wDBvq49b9v0NMR61B7f2/34+6qyed3awT84eaXwbuaWw25PoLrAwJFUUosnhjhZl35N0Gfs8gtHpV1fi+aOCqA0/I0z647mlsNuT6C6xOOOSEXoYfXu5pbDbk+gus7mlsNuT6C6yam641oZ6I3j26nSmYB/x3MdafblAoFd6gMtN54lfVzO5pbDbk+gus7mlsNuT6C6zuaWw25PoLrO5pbDbk+gus7mlsNuT6C6zuaWw25PoLrChMT3Zyu13PbjB9lZHMmuRHeIAafFph1ZLK24YqtFKKEinnWpr85lLHgGBhw0ugj2my74mvq+in56lGLX9Nn1iMz7g/8LPf07/2lynEVNpQbmaYSz8618xRS3y90/Mui6eHTLnGiNDmpB7hoEVzU0AI5AO9mzGpqBNRd1CpUVyg2uStOwERH1DjH2Q0RH6FNiufhGE2d8hOzEH/HhJ+4AlTY1/s81xL81CO2SvAfsLLeFEonnF2F+vM22sPB57G/9qY8KlbW9KUYJZhc8+B8+E67HBNU3qwHPRcthCeHo2nlj8pbo9h4BJE/qD8t0CjspwbWUflcBXkZ0AANLPHhVAg+u6u8X2KFgAu8HDDWda6VFMm7ycxWhtYwGblh+uxVxSCAwQI3GzjYCzD9/L/w7EzISImtjkuQBQnFZVTtBA9orAFWAaN2sDrcix909HOv1X/a9NB0sH7c5rxTWA/YxSfA5UcmN05/gY2p2AdeHCoDdo1yEhbI9gDmQLyDpLUSH8c/1V/2Lv9UOyCkZy3IQjUu4EWQ5Rta6rz791u9hfBetyyMSFwbWbaWj27JMsDGKqiNwSJ9j8qap6xUMrhg1AR5aBw+a62Q9KMd1pRSkpuE966kqicy0EbDJzHh3ChI2FClHp3uKgl3TWI3+IpUPwSJuhmAbwEE4srpic6BheuUNo8+fNjfdQoNmsmMzMpV/yD2DDmGK+2pH8yb4bliVaek0qzoakezPaWDfJDRaVgyOI9h1lKYykjbSJ42cJtY0qCCQndUKkqPcYeTr86059InpeFCwNqCVqNBT35+G/WIYsaWFNK3ZuMXTpnN8EyUPOImInTGSG+EKPxIpbOrdIoIz0Ug+gPHQ2EohIiHgKoTZaRuKRifZrSmoEw09l+Z9qCDGTkeOxYo9/iZ1m2nl9HWd7iPoZuYih8P43OfHqFMeejDgWnxduyGBwV+vrJsBxqSRpvhblxkeVw24gGbyuuwNsV0zK4JapYiApIISnqTwNfmsLNoCzSVfh96BGZYLCN2HkqxBQtjhWLdnPn/vNLyJkC6UFrIrgQ5VrJOAyyj7a56pA1clvc2IWUNL7+IeV7xjvXgRxC6WCC2OGnTSs2lYUUUaEiIes1AF3zGjVaGlkcJITNBE+ofirpWya4y9kkGZRAMgW9TmeCGuir0SbUG5RIDrMHVuXGTNWgnDQmgl6VVsOCYuYLRbxvGKhIe19IsCK5i5sThPDQwbwrB4ExF+J9NgN+8XofGnEoDuryn3G0YnxDatBAOdZ2dMd0ou7xfcDvE19YvLKCwNvv6RYexvswdTqCkLu7o13fenS6D28hVrTc1cDFuqszASHB3mzkrPBCfdMRcXha89j9A1L/nQvlzxuwQipX0/0FjRUEWdjc3Gf0jwDMdKQdv1qXbtJVxs/V4ILuMEVOEQ6KtdjJEXAJLUk54D/tLiAxY5f2llSi7di4infkJrB47Mm9/uqJJPF8AfLvVJROrp+TOojEzJaVtFZWmEbUd1k64eIlYC9XBZgwspxBDGSygxw66HkBeoixyXhFfLNVx2hRqVspqSACNrXq8b4iTrLLPX/5Kt9yMoE5MgkndzrdElJv5ABpW9E2hUAlm2R/fXaEpn6bip+Ct8CpLwkGwnERpeZIDHw0Qa26XDm3Di8WkwEF7RIcfCU/Ldv93mZCPj8+Iful1nbB6ve7npqf4jGOBwhsPkdIkknLaqbs6VaCUxForNWAostZh/PSK98/SS4wHI019ucMUPwbsdFBU8bNkEedpl8ifh31OM18XpNuTiIjewMQZzHPORyUSKVMMvtWhswYPQ1r2/VyYB5R4j08c04VmDDxuq1H8hX/pM9VdgojkrD8UxF3HFnD4+c8hVu7N8EWuufMT1HxoeZGxJQgRbO62qHNwi254Oiv2DBpYg2Z3oWTOyHY5cgv1AOtVw4FOilZiPwvIx1iTH3rlym5kswwq5cl2GyZvUqXrhnrtXfRX41mj1XnBygsSBWN/UmV5X7TO73OY5R82P3TcejS57We9spcGSP8gLt+LHNz4xaWi8gIVWY9Gz7MrMF25bHWxpirdVP07sB+LzwyTMafvrm8UzHpEWYWn/gCA8Dgs9fDJznac5oNRnnfmYmzZ0o6D3J3KcxLRunkhTDRa3qAiPNf7vvyNmPrhaoumtF0SY561lpPkpUKFu1m11ziLMde96kqGQLKoDQXPcd
              Source: 0.0.S.O.A.exe.c40000.0.unpack, Form1.csBase64 encoded string: 'i7wVnbQy0FIXyN4Ta4hgynZhSMbW8WRj7tuPXCHztg7uaWw25PoLrO5pbDbk+gus7mlsNuT6C6wm+zibRbDkL0aegJHVq+mr1W/lRhoG0ygUdwxUjpeU/M3ZcE0NngzGvoh16d6NviwgUoh0lVuEdWggxxRnRB3w4GX9e3p8i+t9uKAd2GsRtNx+n41ZHfw8t0ywdpfcrTU1LfcEKyRSP+N6eQYn++2Mm6k6Bg+CGdm/AoH8m3GHGfo/A3HZIkC9eZKcU9Rx89d5kpxT1HHz13X1O5rWzYcmaGxo372jeVBQS0F6ByQ4e1BLQXoHJDh7SnD7hyR6nKruaWw25PoLrIAU9RpJ/2hQDhzUMhuC4ePuaWw25PoLrO5pbDbk+gusa5gQFRuce8zuaWw25PoLrO5pbDbk+gus7mlsNuT6C6zuaWw25PoLrO5pbDbk+gus7mlsNuT6C6zt2g4jR9v9f+5pbDbk+gus+KL6eTm1C5TuaWw25PoLrHLxNK6iR6mrFWwkgcFvhJO+kWD7kMzRf+5pbDbk+gusPE8wDBvq49b9v0NMR61B7f2/34+6qyed3awT84eaXwbuaWw25PoLrAwJFUUosnhjhZl35N0Gfs8gtHpV1fi+aOCqA0/I0z647mlsNuT6C6xOOOSEXoYfXu5pbDbk+gus7mlsNuT6C6yam641oZ6I3j26nSmYB/x3MdafblAoFd6gMtN54lfVzO5pbDbk+gus7mlsNuT6C6zuaWw25PoLrO5pbDbk+gus7mlsNuT6C6zuaWw25PoLrChMT3Zyu13PbjB9lZHMmuRHeIAafFph1ZLK24YqtFKKEinnWpr85lLHgGBhw0ugj2my74mvq+in56lGLX9Nn1iMz7g/8LPf07/2lynEVNpQbmaYSz8618xRS3y90/Mui6eHTLnGiNDmpB7hoEVzU0AI5AO9mzGpqBNRd1CpUVyg2uStOwERH1DjH2Q0RH6FNiufhGE2d8hOzEH/HhJ+4AlTY1/s81xL81CO2SvAfsLLeFEonnF2F+vM22sPB57G/9qY8KlbW9KUYJZhc8+B8+E67HBNU3qwHPRcthCeHo2nlj8pbo9h4BJE/qD8t0CjspwbWUflcBXkZ0AANLPHhVAg+u6u8X2KFgAu8HDDWda6VFMm7ycxWhtYwGblh+uxVxSCAwQI3GzjYCzD9/L/w7EzISImtjkuQBQnFZVTtBA9orAFWAaN2sDrcix909HOv1X/a9NB0sH7c5rxTWA/YxSfA5UcmN05/gY2p2AdeHCoDdo1yEhbI9gDmQLyDpLUSH8c/1V/2Lv9UOyCkZy3IQjUu4EWQ5Rta6rz791u9hfBetyyMSFwbWbaWj27JMsDGKqiNwSJ9j8qap6xUMrhg1AR5aBw+a62Q9KMd1pRSkpuE966kqicy0EbDJzHh3ChI2FClHp3uKgl3TWI3+IpUPwSJuhmAbwEE4srpic6BheuUNo8+fNjfdQoNmsmMzMpV/yD2DDmGK+2pH8yb4bliVaek0qzoakezPaWDfJDRaVgyOI9h1lKYykjbSJ42cJtY0qCCQndUKkqPcYeTr86059InpeFCwNqCVqNBT35+G/WIYsaWFNK3ZuMXTpnN8EyUPOImInTGSG+EKPxIpbOrdIoIz0Ug+gPHQ2EohIiHgKoTZaRuKRifZrSmoEw09l+Z9qCDGTkeOxYo9/iZ1m2nl9HWd7iPoZuYih8P43OfHqFMeejDgWnxduyGBwV+vrJsBxqSRpvhblxkeVw24gGbyuuwNsV0zK4JapYiApIISnqTwNfmsLNoCzSVfh96BGZYLCN2HkqxBQtjhWLdnPn/vNLyJkC6UFrIrgQ5VrJOAyyj7a56pA1clvc2IWUNL7+IeV7xjvXgRxC6WCC2OGnTSs2lYUUUaEiIes1AF3zGjVaGlkcJITNBE+ofirpWya4y9kkGZRAMgW9TmeCGuir0SbUG5RIDrMHVuXGTNWgnDQmgl6VVsOCYuYLRbxvGKhIe19IsCK5i5sThPDQwbwrB4ExF+J9NgN+8XofGnEoDuryn3G0YnxDatBAOdZ2dMd0ou7xfcDvE19YvLKCwNvv6RYexvswdTqCkLu7o13fenS6D28hVrTc1cDFuqszASHB3mzkrPBCfdMRcXha89j9A1L/nQvlzxuwQipX0/0FjRUEWdjc3Gf0jwDMdKQdv1qXbtJVxs/V4ILuMEVOEQ6KtdjJEXAJLUk54D/tLiAxY5f2llSi7di4infkJrB47Mm9/uqJJPF8AfLvVJROrp+TOojEzJaVtFZWmEbUd1k64eIlYC9XBZgwspxBDGSygxw66HkBeoixyXhFfLNVx2hRqVspqSACNrXq8b4iTrLLPX/5Kt9yMoE5MgkndzrdElJv5ABpW9E2hUAlm2R/fXaEpn6bip+Ct8CpLwkGwnERpeZIDHw0Qa26XDm3Di8WkwEF7RIcfCU/Ldv93mZCPj8+Iful1nbB6ve7npqf4jGOBwhsPkdIkknLaqbs6VaCUxForNWAostZh/PSK98/SS4wHI019ucMUPwbsdFBU8bNkEedpl8ifh31OM18XpNuTiIjewMQZzHPORyUSKVMMvtWhswYPQ1r2/VyYB5R4j08c04VmDDxuq1H8hX/pM9VdgojkrD8UxF3HFnD4+c8hVu7N8EWuufMT1HxoeZGxJQgRbO62qHNwi254Oiv2DBpYg2Z3oWTOyHY5cgv1AOtVw4FOilZiPwvIx1iTH3rlym5kswwq5cl2GyZvUqXrhnrtXfRX41mj1XnBygsSBWN/UmV5X7TO73OY5R82P3TcejS57We9spcGSP8gLt+LHNz4xaWi8gIVWY9Gz7MrMF25bHWxpirdVP07sB+LzwyTMafvrm8UzHpEWYWn/gCA8Dgs9fDJznac5oNRnnfmYmzZ0o6D3J3KcxLRunkhTDRa3qAiPNf7vvyNmPrhaoumtF0SY561lpPkpUKFu1m11ziLMde96kqGQLKoDQXPcd
              Source: 1.2.S.O.A.exe.5f0000.1.unpack, Form1.csBase64 encoded string: 'i7wVnbQy0FIXyN4Ta4hgynZhSMbW8WRj7tuPXCHztg7uaWw25PoLrO5pbDbk+gus7mlsNuT6C6wm+zibRbDkL0aegJHVq+mr1W/lRhoG0ygUdwxUjpeU/M3ZcE0NngzGvoh16d6NviwgUoh0lVuEdWggxxRnRB3w4GX9e3p8i+t9uKAd2GsRtNx+n41ZHfw8t0ywdpfcrTU1LfcEKyRSP+N6eQYn++2Mm6k6Bg+CGdm/AoH8m3GHGfo/A3HZIkC9eZKcU9Rx89d5kpxT1HHz13X1O5rWzYcmaGxo372jeVBQS0F6ByQ4e1BLQXoHJDh7SnD7hyR6nKruaWw25PoLrIAU9RpJ/2hQDhzUMhuC4ePuaWw25PoLrO5pbDbk+gusa5gQFRuce8zuaWw25PoLrO5pbDbk+gus7mlsNuT6C6zuaWw25PoLrO5pbDbk+gus7mlsNuT6C6zt2g4jR9v9f+5pbDbk+gus+KL6eTm1C5TuaWw25PoLrHLxNK6iR6mrFWwkgcFvhJO+kWD7kMzRf+5pbDbk+gusPE8wDBvq49b9v0NMR61B7f2/34+6qyed3awT84eaXwbuaWw25PoLrAwJFUUosnhjhZl35N0Gfs8gtHpV1fi+aOCqA0/I0z647mlsNuT6C6xOOOSEXoYfXu5pbDbk+gus7mlsNuT6C6yam641oZ6I3j26nSmYB/x3MdafblAoFd6gMtN54lfVzO5pbDbk+gus7mlsNuT6C6zuaWw25PoLrO5pbDbk+gus7mlsNuT6C6zuaWw25PoLrChMT3Zyu13PbjB9lZHMmuRHeIAafFph1ZLK24YqtFKKEinnWpr85lLHgGBhw0ugj2my74mvq+in56lGLX9Nn1iMz7g/8LPf07/2lynEVNpQbmaYSz8618xRS3y90/Mui6eHTLnGiNDmpB7hoEVzU0AI5AO9mzGpqBNRd1CpUVyg2uStOwERH1DjH2Q0RH6FNiufhGE2d8hOzEH/HhJ+4AlTY1/s81xL81CO2SvAfsLLeFEonnF2F+vM22sPB57G/9qY8KlbW9KUYJZhc8+B8+E67HBNU3qwHPRcthCeHo2nlj8pbo9h4BJE/qD8t0CjspwbWUflcBXkZ0AANLPHhVAg+u6u8X2KFgAu8HDDWda6VFMm7ycxWhtYwGblh+uxVxSCAwQI3GzjYCzD9/L/w7EzISImtjkuQBQnFZVTtBA9orAFWAaN2sDrcix909HOv1X/a9NB0sH7c5rxTWA/YxSfA5UcmN05/gY2p2AdeHCoDdo1yEhbI9gDmQLyDpLUSH8c/1V/2Lv9UOyCkZy3IQjUu4EWQ5Rta6rz791u9hfBetyyMSFwbWbaWj27JMsDGKqiNwSJ9j8qap6xUMrhg1AR5aBw+a62Q9KMd1pRSkpuE966kqicy0EbDJzHh3ChI2FClHp3uKgl3TWI3+IpUPwSJuhmAbwEE4srpic6BheuUNo8+fNjfdQoNmsmMzMpV/yD2DDmGK+2pH8yb4bliVaek0qzoakezPaWDfJDRaVgyOI9h1lKYykjbSJ42cJtY0qCCQndUKkqPcYeTr86059InpeFCwNqCVqNBT35+G/WIYsaWFNK3ZuMXTpnN8EyUPOImInTGSG+EKPxIpbOrdIoIz0Ug+gPHQ2EohIiHgKoTZaRuKRifZrSmoEw09l+Z9qCDGTkeOxYo9/iZ1m2nl9HWd7iPoZuYih8P43OfHqFMeejDgWnxduyGBwV+vrJsBxqSRpvhblxkeVw24gGbyuuwNsV0zK4JapYiApIISnqTwNfmsLNoCzSVfh96BGZYLCN2HkqxBQtjhWLdnPn/vNLyJkC6UFrIrgQ5VrJOAyyj7a56pA1clvc2IWUNL7+IeV7xjvXgRxC6WCC2OGnTSs2lYUUUaEiIes1AF3zGjVaGlkcJITNBE+ofirpWya4y9kkGZRAMgW9TmeCGuir0SbUG5RIDrMHVuXGTNWgnDQmgl6VVsOCYuYLRbxvGKhIe19IsCK5i5sThPDQwbwrB4ExF+J9NgN+8XofGnEoDuryn3G0YnxDatBAOdZ2dMd0ou7xfcDvE19YvLKCwNvv6RYexvswdTqCkLu7o13fenS6D28hVrTc1cDFuqszASHB3mzkrPBCfdMRcXha89j9A1L/nQvlzxuwQipX0/0FjRUEWdjc3Gf0jwDMdKQdv1qXbtJVxs/V4ILuMEVOEQ6KtdjJEXAJLUk54D/tLiAxY5f2llSi7di4infkJrB47Mm9/uqJJPF8AfLvVJROrp+TOojEzJaVtFZWmEbUd1k64eIlYC9XBZgwspxBDGSygxw66HkBeoixyXhFfLNVx2hRqVspqSACNrXq8b4iTrLLPX/5Kt9yMoE5MgkndzrdElJv5ABpW9E2hUAlm2R/fXaEpn6bip+Ct8CpLwkGwnERpeZIDHw0Qa26XDm3Di8WkwEF7RIcfCU/Ldv93mZCPj8+Iful1nbB6ve7npqf4jGOBwhsPkdIkknLaqbs6VaCUxForNWAostZh/PSK98/SS4wHI019ucMUPwbsdFBU8bNkEedpl8ifh31OM18XpNuTiIjewMQZzHPORyUSKVMMvtWhswYPQ1r2/VyYB5R4j08c04VmDDxuq1H8hX/pM9VdgojkrD8UxF3HFnD4+c8hVu7N8EWuufMT1HxoeZGxJQgRbO62qHNwi254Oiv2DBpYg2Z3oWTOyHY5cgv1AOtVw4FOilZiPwvIx1iTH3rlym5kswwq5cl2GyZvUqXrhnrtXfRX41mj1XnBygsSBWN/UmV5X7TO73OY5R82P3TcejS57We9spcGSP8gLt+LHNz4xaWi8gIVWY9Gz7MrMF25bHWxpirdVP07sB+LzwyTMafvrm8UzHpEWYWn/gCA8Dgs9fDJznac5oNRnnfmYmzZ0o6D3J3KcxLRunkhTDRa3qAiPNf7vvyNmPrhaoumtF0SY561lpPkpUKFu1m11ziLMde96kqGQLKoDQXPcd
              Source: 1.0.S.O.A.exe.5f0000.0.unpack, Form1.csBase64 encoded string: 'i7wVnbQy0FIXyN4Ta4hgynZhSMbW8WRj7tuPXCHztg7uaWw25PoLrO5pbDbk+gus7mlsNuT6C6wm+zibRbDkL0aegJHVq+mr1W/lRhoG0ygUdwxUjpeU/M3ZcE0NngzGvoh16d6NviwgUoh0lVuEdWggxxRnRB3w4GX9e3p8i+t9uKAd2GsRtNx+n41ZHfw8t0ywdpfcrTU1LfcEKyRSP+N6eQYn++2Mm6k6Bg+CGdm/AoH8m3GHGfo/A3HZIkC9eZKcU9Rx89d5kpxT1HHz13X1O5rWzYcmaGxo372jeVBQS0F6ByQ4e1BLQXoHJDh7SnD7hyR6nKruaWw25PoLrIAU9RpJ/2hQDhzUMhuC4ePuaWw25PoLrO5pbDbk+gusa5gQFRuce8zuaWw25PoLrO5pbDbk+gus7mlsNuT6C6zuaWw25PoLrO5pbDbk+gus7mlsNuT6C6zt2g4jR9v9f+5pbDbk+gus+KL6eTm1C5TuaWw25PoLrHLxNK6iR6mrFWwkgcFvhJO+kWD7kMzRf+5pbDbk+gusPE8wDBvq49b9v0NMR61B7f2/34+6qyed3awT84eaXwbuaWw25PoLrAwJFUUosnhjhZl35N0Gfs8gtHpV1fi+aOCqA0/I0z647mlsNuT6C6xOOOSEXoYfXu5pbDbk+gus7mlsNuT6C6yam641oZ6I3j26nSmYB/x3MdafblAoFd6gMtN54lfVzO5pbDbk+gus7mlsNuT6C6zuaWw25PoLrO5pbDbk+gus7mlsNuT6C6zuaWw25PoLrChMT3Zyu13PbjB9lZHMmuRHeIAafFph1ZLK24YqtFKKEinnWpr85lLHgGBhw0ugj2my74mvq+in56lGLX9Nn1iMz7g/8LPf07/2lynEVNpQbmaYSz8618xRS3y90/Mui6eHTLnGiNDmpB7hoEVzU0AI5AO9mzGpqBNRd1CpUVyg2uStOwERH1DjH2Q0RH6FNiufhGE2d8hOzEH/HhJ+4AlTY1/s81xL81CO2SvAfsLLeFEonnF2F+vM22sPB57G/9qY8KlbW9KUYJZhc8+B8+E67HBNU3qwHPRcthCeHo2nlj8pbo9h4BJE/qD8t0CjspwbWUflcBXkZ0AANLPHhVAg+u6u8X2KFgAu8HDDWda6VFMm7ycxWhtYwGblh+uxVxSCAwQI3GzjYCzD9/L/w7EzISImtjkuQBQnFZVTtBA9orAFWAaN2sDrcix909HOv1X/a9NB0sH7c5rxTWA/YxSfA5UcmN05/gY2p2AdeHCoDdo1yEhbI9gDmQLyDpLUSH8c/1V/2Lv9UOyCkZy3IQjUu4EWQ5Rta6rz791u9hfBetyyMSFwbWbaWj27JMsDGKqiNwSJ9j8qap6xUMrhg1AR5aBw+a62Q9KMd1pRSkpuE966kqicy0EbDJzHh3ChI2FClHp3uKgl3TWI3+IpUPwSJuhmAbwEE4srpic6BheuUNo8+fNjfdQoNmsmMzMpV/yD2DDmGK+2pH8yb4bliVaek0qzoakezPaWDfJDRaVgyOI9h1lKYykjbSJ42cJtY0qCCQndUKkqPcYeTr86059InpeFCwNqCVqNBT35+G/WIYsaWFNK3ZuMXTpnN8EyUPOImInTGSG+EKPxIpbOrdIoIz0Ug+gPHQ2EohIiHgKoTZaRuKRifZrSmoEw09l+Z9qCDGTkeOxYo9/iZ1m2nl9HWd7iPoZuYih8P43OfHqFMeejDgWnxduyGBwV+vrJsBxqSRpvhblxkeVw24gGbyuuwNsV0zK4JapYiApIISnqTwNfmsLNoCzSVfh96BGZYLCN2HkqxBQtjhWLdnPn/vNLyJkC6UFrIrgQ5VrJOAyyj7a56pA1clvc2IWUNL7+IeV7xjvXgRxC6WCC2OGnTSs2lYUUUaEiIes1AF3zGjVaGlkcJITNBE+ofirpWya4y9kkGZRAMgW9TmeCGuir0SbUG5RIDrMHVuXGTNWgnDQmgl6VVsOCYuYLRbxvGKhIe19IsCK5i5sThPDQwbwrB4ExF+J9NgN+8XofGnEoDuryn3G0YnxDatBAOdZ2dMd0ou7xfcDvE19YvLKCwNvv6RYexvswdTqCkLu7o13fenS6D28hVrTc1cDFuqszASHB3mzkrPBCfdMRcXha89j9A1L/nQvlzxuwQipX0/0FjRUEWdjc3Gf0jwDMdKQdv1qXbtJVxs/V4ILuMEVOEQ6KtdjJEXAJLUk54D/tLiAxY5f2llSi7di4infkJrB47Mm9/uqJJPF8AfLvVJROrp+TOojEzJaVtFZWmEbUd1k64eIlYC9XBZgwspxBDGSygxw66HkBeoixyXhFfLNVx2hRqVspqSACNrXq8b4iTrLLPX/5Kt9yMoE5MgkndzrdElJv5ABpW9E2hUAlm2R/fXaEpn6bip+Ct8CpLwkGwnERpeZIDHw0Qa26XDm3Di8WkwEF7RIcfCU/Ldv93mZCPj8+Iful1nbB6ve7npqf4jGOBwhsPkdIkknLaqbs6VaCUxForNWAostZh/PSK98/SS4wHI019ucMUPwbsdFBU8bNkEedpl8ifh31OM18XpNuTiIjewMQZzHPORyUSKVMMvtWhswYPQ1r2/VyYB5R4j08c04VmDDxuq1H8hX/pM9VdgojkrD8UxF3HFnD4+c8hVu7N8EWuufMT1HxoeZGxJQgRbO62qHNwi254Oiv2DBpYg2Z3oWTOyHY5cgv1AOtVw4FOilZiPwvIx1iTH3rlym5kswwq5cl2GyZvUqXrhnrtXfRX41mj1XnBygsSBWN/UmV5X7TO73OY5R82P3TcejS57We9spcGSP8gLt+LHNz4xaWi8gIVWY9Gz7MrMF25bHWxpirdVP07sB+LzwyTMafvrm8UzHpEWYWn/gCA8Dgs9fDJznac5oNRnnfmYmzZ0o6D3J3KcxLRunkhTDRa3qAiPNf7vvyNmPrhaoumtF0SY561lpPkpUKFu1m11ziLMde96kqGQLKoDQXPcd
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/3@1/1
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_0278AF3E AdjustTokenPrivileges,
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_0278AF07 AdjustTokenPrivileges,
              Source: C:\Users\user\Desktop\S.O.A.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\S.O.A.exe.logJump to behavior
              Source: C:\Users\user\Desktop\S.O.A.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
              Source: S.O.A.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\S.O.A.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\S.O.A.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Users\user\Desktop\S.O.A.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Users\user\Desktop\S.O.A.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\S.O.A.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Users\user\Desktop\S.O.A.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Users\user\Desktop\S.O.A.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\S.O.A.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\S.O.A.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Users\user\Desktop\S.O.A.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\S.O.A.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: S.O.A.exeVirustotal: Detection: 59%
              Source: S.O.A.exeReversingLabs: Detection: 12%
              Source: unknownProcess created: C:\Users\user\Desktop\S.O.A.exe 'C:\Users\user\Desktop\S.O.A.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\S.O.A.exe C:\Users\user\Desktop\S.O.A.exe
              Source: C:\Users\user\Desktop\S.O.A.exeProcess created: C:\Users\user\Desktop\S.O.A.exe C:\Users\user\Desktop\S.O.A.exe
              Source: C:\Users\user\Desktop\S.O.A.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
              Source: C:\Users\user\Desktop\S.O.A.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
              Source: C:\Users\user\Desktop\S.O.A.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: S.O.A.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: S.O.A.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: S.O.A.exeStatic file information: File size 1101312 > 1048576
              Source: C:\Users\user\Desktop\S.O.A.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
              Source: S.O.A.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x10c400
              Source: S.O.A.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: S.O.A.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: mscorrc.pdb source: S.O.A.exe, 00000000.00000002.251030920.0000000006D60000.00000002.00000001.sdmp

              Data Obfuscation:

              barindex
              Binary contains a suspicious time stamp
              Source: initial sampleStatic PE information: 0xEA4D3560 [Sun Jul 25 20:34:40 2094 UTC]
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 0_2_00C4CBE7 push cs; ret
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 0_2_00C455EC push es; ret
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 0_2_00C4CBF9 push cs; ret
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 0_2_00C4CD9D push ss; ret
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 0_2_00C4C0A3 push es; retf
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 0_2_00C4CC4D push ss; ret
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 0_2_00C45A76 push 00000000h; iretd
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 0_2_00C4C30A push cs; ret
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 0_2_00C4C310 push cs; ret
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 0_2_01357ED8 pushad ; ret
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 0_2_077443EE push dword ptr [ebp-17000000h]; retf
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_005FCC4D push ss; ret
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_005FC310 push cs; ret
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_005FC30A push cs; ret
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_005FCBF9 push cs; ret
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_005F55EC push es; ret
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_005FCBE7 push cs; ret
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_005FCD9D push ss; ret
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_005F5AA8 push 00000000h; iretd
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_005FC0A3 push es; retf
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_029DBCF0 push eax; iretd
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_029DAD65 push eax; ret
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_057B22A1 push 6F70C310h; ret
              Source: initial sampleStatic PE information: section name: .text entropy: 7.57173107227
              Source: C:\Users\user\Desktop\S.O.A.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3
              Source: Yara matchFile source: 00000000.00000002.246366322.0000000003411000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: S.O.A.exe PID: 5332, type: MEMORY
              Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
              Source: C:\Users\user\Desktop\S.O.A.exeFunction Chain: memAlloc,systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,threadDelayed,systemQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,systemQueried,threadDelayed,memAlloc,threadDelayed,threadDelayed,threadDelayed,threadDelayed,memAlloc,memAlloc
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\S.O.A.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\S.O.A.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: S.O.A.exe, 00000000.00000002.246366322.0000000003411000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: S.O.A.exe, 00000000.00000002.246366322.0000000003411000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 0_2_00C46296 sgdt fword ptr [eax]
              Source: C:\Users\user\Desktop\S.O.A.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\S.O.A.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\S.O.A.exeWindow / User API: threadDelayed 882
              Source: C:\Users\user\Desktop\S.O.A.exe TID: 5328Thread sleep time: -49310s >= -30000s
              Source: C:\Users\user\Desktop\S.O.A.exe TID: 1516Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\S.O.A.exe TID: 5352Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\S.O.A.exe TID: 5352Thread sleep count: 882 > 30
              Source: C:\Users\user\Desktop\S.O.A.exe TID: 5352Thread sleep time: -26460000s >= -30000s
              Source: C:\Users\user\Desktop\S.O.A.exe TID: 5352Thread sleep time: -30000s >= -30000s
              Source: C:\Users\user\Desktop\S.O.A.exe TID: 5352Thread sleep time: -30000s >= -30000s
              Source: C:\Users\user\Desktop\S.O.A.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\S.O.A.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\S.O.A.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\S.O.A.exeLast function: Thread delayed
              Source: S.O.A.exe, 00000000.00000002.246366322.0000000003411000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: S.O.A.exe, 00000001.00000002.581963587.0000000005120000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: S.O.A.exe, 00000000.00000002.246366322.0000000003411000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: S.O.A.exe, 00000001.00000002.576822038.0000000000D1A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
              Source: S.O.A.exe, 00000001.00000002.581963587.0000000005120000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: S.O.A.exe, 00000001.00000002.581963587.0000000005120000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: S.O.A.exe, 00000000.00000002.246366322.0000000003411000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: S.O.A.exe, 00000001.00000002.582901213.0000000006060000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: S.O.A.exe, 00000000.00000002.246366322.0000000003411000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
              Source: S.O.A.exe, 00000001.00000002.581963587.0000000005120000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\Desktop\S.O.A.exeProcess information queried: ProcessInformation
              Source: C:\Users\user\Desktop\S.O.A.exeCode function: 1_2_029D30C0 LdrInitializeThunk,
              Source: C:\Users\user\Desktop\S.O.A.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\S.O.A.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\S.O.A.exeMemory written: C:\Users\user\Desktop\S.O.A.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\S.O.A.exeProcess created: C:\Users\user\Desktop\S.O.A.exe C:\Users\user\Desktop\S.O.A.exe
              Source: S.O.A.exe, 00000001.00000002.576963243.0000000001350000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
              Source: S.O.A.exe, 00000001.00000002.576963243.0000000001350000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: S.O.A.exe, 00000001.00000002.576963243.0000000001350000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: S.O.A.exe, 00000001.00000002.576963243.0000000001350000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\S.O.A.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 00000001.00000002.575043242.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.580495926.0000000002DD0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.246901436.0000000004411000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.580160688.0000000002D51000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: S.O.A.exe PID: 5752, type: MEMORY
              Source: Yara matchFile source: 1.2.S.O.A.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
              Source: C:\Users\user\Desktop\S.O.A.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\S.O.A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: C:\Users\user\Desktop\S.O.A.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\S.O.A.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
              Source: C:\Users\user\Desktop\S.O.A.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
              Tries to steal Mail credentials (via file access)
              Source: C:\Users\user\Desktop\S.O.A.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\Desktop\S.O.A.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\Desktop\S.O.A.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: C:\Users\user\Desktop\S.O.A.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Source: Yara matchFile source: 00000001.00000002.580160688.0000000002D51000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: S.O.A.exe PID: 5752, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 00000001.00000002.575043242.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.580495926.0000000002DD0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.246901436.0000000004411000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.580160688.0000000002D51000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: S.O.A.exe PID: 5752, type: MEMORY
              Source: Yara matchFile source: 1.2.S.O.A.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211Path InterceptionAccess Token Manipulation1Disable or Modify Tools11OS Credential Dumping2System Information Discovery114Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsNative API1Boot or Logon Initialization ScriptsProcess Injection112Deobfuscate/Decode Files or Information1Input Capture1Query Registry1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information31Credentials in Registry1Security Software Discovery211SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing3NTDSVirtualization/Sandbox Evasion14Distributed Component Object ModelInput Capture1Scheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading11Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion14DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection112/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 332654 Sample: S.O.A.exe Startdate: 21/12/2020 Architecture: WINDOWS Score: 100 20 Found malware configuration 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 Yara detected AgentTesla 2->24 26 6 other signatures 2->26 6 S.O.A.exe 14 2->6         started        process3 file4 14 C:\Users\user\AppData\Local\...\S.O.A.exe.log, ASCII 6->14 dropped 28 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->28 30 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->30 32 Injects a PE file into a foreign processes 6->32 34 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 6->34 10 S.O.A.exe 4 6->10         started        signatures5 process6 dnsIp7 16 hybridgroupco.com 66.70.204.222, 49749, 587 OVHFR Canada 10->16 18 mail.hybridgroupco.com 10->18 36 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 10->36 38 Tries to steal Mail credentials (via file access) 10->38 40 Tries to harvest and steal ftp login credentials 10->40 42 Tries to harvest and steal browser information (history, passwords, etc) 10->42 signatures8

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              S.O.A.exe59%VirustotalBrowse
              S.O.A.exe12%ReversingLabsWin32.Infostealer.Generic
              S.O.A.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              1.2.S.O.A.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.fontbureau.comessed0%URL Reputationsafe
              http://www.fontbureau.comessed0%URL Reputationsafe
              http://www.fontbureau.comessed0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              https://E0SAJds8rU.net0%Avira URL Cloudsafe
              http://vLHwJU.com0%Avira URL Cloudsafe
              https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
              https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
              https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/50%Avira URL Cloudsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.fontbureau.comalsm0%Avira URL Cloudsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.de0%URL Reputationsafe
              http://www.urwpp.de0%URL Reputationsafe
              http://www.urwpp.de0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://tempuri.org/TailoringBusinessDataSet.xsd0%Avira URL Cloudsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              http://www.fontbureau.com.TTFi0%Avira URL Cloudsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://www.fontbureau.comF0%URL Reputationsafe
              http://www.fontbureau.comF0%URL Reputationsafe
              http://www.fontbureau.comF0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              http://www.sakkal.comH0%Avira URL Cloudsafe
              http://www.urwpp.deF0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
              http://www.fontbureau.comd0%URL Reputationsafe
              http://www.fontbureau.comd0%URL Reputationsafe
              http://www.fontbureau.comd0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp//v0%Avira URL Cloudsafe
              http://www.sajatypeworks.com9d0%Avira URL Cloudsafe
              http://www.founder.com.cn/cn10%Avira URL Cloudsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.monotype.0%URL Reputationsafe
              http://www.monotype.0%URL Reputationsafe
              http://www.monotype.0%URL Reputationsafe
              http://www.tiro.comU0%Avira URL Cloudsafe
              http://www.fontbureau.comm0%URL Reputationsafe
              http://www.fontbureau.comm0%URL Reputationsafe
              http://www.fontbureau.comm0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.fontbureau.como0%URL Reputationsafe
              http://www.fontbureau.como0%URL Reputationsafe
              http://www.fontbureau.como0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/i0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/i0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/i0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              hybridgroupco.com
              		66.70.204.222
              		truetrue
                		unknown
                mail.hybridgroupco.com
                		unknown
                		unknowntrue
                  		unknown
                  NameSourceMaliciousAntivirus DetectionReputation
                  http://127.0.0.1:HTTP/1.1S.O.A.exe, 00000001.00000002.580160688.0000000002D51000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://www.fontbureau.com/designersGS.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.com/designers/?S.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bTheS.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers?S.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpfalse
                        		high
                        http://www.tiro.comS.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designersS.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.comessedS.O.A.exe, 00000000.00000003.235919953.0000000005BC6000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.goodfont.co.krS.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://E0SAJds8rU.netS.O.A.exe, 00000001.00000002.580495926.0000000002DD0000.00000004.00000001.sdmp, S.O.A.exe, 00000001.00000002.580661618.0000000002E43000.00000004.00000001.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://vLHwJU.comS.O.A.exe, 00000001.00000002.580160688.0000000002D51000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.ipify.orgGETMozilla/5.0S.O.A.exe, 00000001.00000002.580160688.0000000002D51000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.sajatypeworks.comS.O.A.exe, 00000000.00000003.226870433.000000000180D000.00000004.00000001.sdmp, S.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.typography.netDS.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cn/cTheS.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htmS.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://fontfabrik.comS.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/5S.O.A.exe, 00000000.00000003.230702209.0000000005BC6000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.galapagosdesign.com/DPleaseS.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersxS.O.A.exe, 00000000.00000003.235919953.0000000005BC6000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fonts.comS.O.A.exe, 00000000.00000003.227005789.0000000005BFD000.00000004.00000001.sdmpfalse
                              		high
                              http://www.sandoll.co.krS.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.comalsmS.O.A.exe, 00000000.00000003.235919953.0000000005BC6000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.urwpp.deDPleaseS.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.urwpp.deS.O.A.exe, 00000000.00000003.233948310.0000000005BDF000.00000004.00000001.sdmp, S.O.A.exe, 00000000.00000003.236389742.0000000005BDF000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.zhongyicts.com.cnS.O.A.exe, 00000000.00000003.229145416.0000000005BCE000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://tempuri.org/TailoringBusinessDataSet.xsdS.O.A.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.sakkal.comS.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipS.O.A.exe, 00000001.00000002.575043242.0000000000402000.00000040.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com.TTFiS.O.A.exe, 00000000.00000003.235919953.0000000005BC6000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.apache.org/licenses/LICENSE-2.0S.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.comS.O.A.exe, 00000000.00000003.235919953.0000000005BC6000.00000004.00000001.sdmpfalse
                                  		high
                                  http://DynDns.comDynDNSS.O.A.exe, 00000001.00000002.580160688.0000000002D51000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comFS.O.A.exe, 00000000.00000003.235919953.0000000005BC6000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haS.O.A.exe, 00000001.00000002.580160688.0000000002D51000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sakkal.comHS.O.A.exe, 00000000.00000003.231783394.0000000005BD2000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.urwpp.deFS.O.A.exe, 00000000.00000003.236389742.0000000005BDF000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/S.O.A.exe, 00000000.00000003.230261537.0000000005BC6000.00000004.00000001.sdmp, S.O.A.exe, 00000000.00000003.230702209.0000000005BC6000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comdS.O.A.exe, 00000000.00000003.235919953.0000000005BC6000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comlS.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp//vS.O.A.exe, 00000000.00000003.230702209.0000000005BC6000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sajatypeworks.com9dS.O.A.exe, 00000000.00000003.226870433.000000000180D000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNS.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn1S.O.A.exe, 00000000.00000003.228101707.0000000005BC3000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.founder.com.cn/cnS.O.A.exe, 00000000.00000003.228033596.0000000005BC3000.00000004.00000001.sdmp, S.O.A.exe, 00000000.00000003.228214275.0000000005BD1000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-jones.htmlS.O.A.exe, 00000000.00000003.235010380.0000000005BD2000.00000004.00000001.sdmp, S.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.monotype.S.O.A.exe, 00000000.00000003.234905032.0000000005BD2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://api.telegram.org/bot%telegramapi%/S.O.A.exe, 00000001.00000002.575043242.0000000000402000.00000040.00000001.sdmpfalse
                                        		high
                                        http://www.tiro.comUS.O.A.exe, 00000000.00000003.229947452.0000000005BDB000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.commS.O.A.exe, 00000000.00000003.244593533.0000000005BC0000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/S.O.A.exe, 00000000.00000003.230261537.0000000005BC6000.00000004.00000001.sdmp, S.O.A.exe, 00000000.00000003.230998214.0000000005BC6000.00000004.00000001.sdmp, S.O.A.exe, 00000000.00000003.230563547.0000000005BC6000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.comoS.O.A.exe, 00000000.00000003.244593533.0000000005BC0000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/iS.O.A.exe, 00000000.00000003.230998214.0000000005BC6000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8S.O.A.exe, 00000000.00000002.251107005.0000000006DE2000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cnNdS.O.A.exe, 00000000.00000003.228033596.0000000005BC3000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/S.O.A.exe, 00000000.00000003.234163678.0000000005BDF000.00000004.00000001.sdmpfalse
                                            		high
                                            https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------xS.O.A.exe, 00000001.00000002.580160688.0000000002D51000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.jiyu-kobo.co.jp/italS.O.A.exe, 00000000.00000003.230998214.0000000005BC6000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              66.70.204.222
                                              		unknownCanada
                                              		16276OVHFRtrue

                                              General Information

                                              Joe Sandbox Version:31.0.0 Red Diamond
                                              Analysis ID:332654
                                              Start date:21.12.2020
                                              Start time:07:27:09
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 8m 28s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:S.O.A.exe
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:26
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@3/3@1/1
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 0.1% (good quality ratio 0.1%)
                                              • Quality average: 45.7%
                                              • Quality standard deviation: 32.3%
                                              HCA Information:
                                              • Successful, ratio: 95%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .exe
                                              Warnings:
                                              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                              • Excluded IPs from analysis (whitelisted): 168.61.161.212, 104.43.139.144, 13.88.21.125, 23.54.113.104, 51.104.139.180, 23.10.249.43, 23.10.249.26, 52.155.217.156, 20.54.26.129, 51.103.5.186, 51.104.146.109
                                              • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, arc.msn.com.nsatc.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              TimeTypeDescription
                                              07:28:04API Interceptor1267x Sleep call for process: S.O.A.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              66.70.204.222PROFORMAR INVOICE DETAILS.exeGet hashmaliciousBrowse
                                                U-8913.exeGet hashmaliciousBrowse
                                                  ORDB2002765.exeGet hashmaliciousBrowse
                                                    REQUEST FOR QUOTATION.exeGet hashmaliciousBrowse
                                                      Proforma Invoice with Bank Details_pdf.exeGet hashmaliciousBrowse
                                                        Image001.exeGet hashmaliciousBrowse
                                                          4nfg3g3nwg.exeGet hashmaliciousBrowse
                                                            DOC04121993.exeGet hashmaliciousBrowse
                                                              PI.exeGet hashmaliciousBrowse
                                                                d9f83622ec1564600202a937d2414af8.exeGet hashmaliciousBrowse
                                                                  Image001.exeGet hashmaliciousBrowse
                                                                    mEPbT6Dbzc.exeGet hashmaliciousBrowse
                                                                      b32sUgpVdT.exeGet hashmaliciousBrowse
                                                                        ZXeB2BO1Lq.exeGet hashmaliciousBrowse
                                                                          kiGANMAmR3.exeGet hashmaliciousBrowse
                                                                            QM34U1x8I6.exeGet hashmaliciousBrowse
                                                                              Y2UrKCOaJm.exeGet hashmaliciousBrowse
                                                                                SJAOO8OCe3.exeGet hashmaliciousBrowse
                                                                                  zh7966Pn0I.exeGet hashmaliciousBrowse
                                                                                    o7B4zT1WNb.exeGet hashmaliciousBrowse

                                                                                      Domains

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                                                      ASN

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                      OVHFRPROFORMAR INVOICE DETAILS.exeGet hashmaliciousBrowse
                                                                                      • 66.70.204.222
                                                                                      FT0yBTcdXL.exeGet hashmaliciousBrowse
                                                                                      • 51.195.57.228
                                                                                      U-8913.exeGet hashmaliciousBrowse
                                                                                      • 66.70.204.222
                                                                                      fdwv4hWF1M.exeGet hashmaliciousBrowse
                                                                                      • 37.187.24.230
                                                                                      https://app.box.com/s/yihmp2wywbz9lgdbg26g3tc1piwkalabGet hashmaliciousBrowse
                                                                                      • 167.114.126.89
                                                                                      invoic.exeGet hashmaliciousBrowse
                                                                                      • 217.182.121.225
                                                                                      ORDER #07443.doc............exeGet hashmaliciousBrowse
                                                                                      • 178.33.222.243
                                                                                      ORDB2002765.exeGet hashmaliciousBrowse
                                                                                      • 66.70.204.222
                                                                                      NEW SC #ORDER.exeGet hashmaliciousBrowse
                                                                                      • 79.137.109.121
                                                                                      https://sharia-point.us-south.cf.appdomain.cloud/redirect/?email=Kristine_Bridges@baylor.edu&data=04|01|Kristine_Bridges@baylor.edu|a64194d2378542e06dfc08d8a2802868|22d2fb35256a459bbcf4dc23d42dc0a4|0|0|637438018615913999|Unknown|TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=|0&sdata=smYCgJbR96G/HzImvOXjT6991bTFo5/ZZGjJwucJySM=&reserved=0Get hashmaliciousBrowse
                                                                                      • 149.56.20.211
                                                                                      IMG-033-040.exeGet hashmaliciousBrowse
                                                                                      • 91.134.14.25
                                                                                      https://performoverlyrefinedapplication.icu/CizCEYfXXsFZDea6dskVLfEdY6BHDc59rTngFTpi7WA?clck=d1b1d4dc-5066-446f-b596-331832cbbdd0&sid=l84343Get hashmaliciousBrowse
                                                                                      • 51.178.20.139
                                                                                      https://www.premierpawn.com/rrt/xxtb/sharepoints/RootGet hashmaliciousBrowse
                                                                                      • 149.56.20.211
                                                                                      https://greens.us-south.cf.appdomain.cloud/smain/?op=c2FsZXNAZm9yZHdheS5jb20=&/yanief4OLVfRFm.php?83_aJjkvU053dh2qESwbhSn93984jjd8pksh_048jdkkd9n488Get hashmaliciousBrowse
                                                                                      • 149.56.20.211
                                                                                      https://feeds.eu-gb.cf.appdomain.cloud/redirect/?email=sales@fordway.comGet hashmaliciousBrowse
                                                                                      • 149.56.20.211
                                                                                      anthon.exeGet hashmaliciousBrowse
                                                                                      • 94.23.162.163
                                                                                      po.exeGet hashmaliciousBrowse
                                                                                      • 213.186.33.5
                                                                                      Endermanch@Cerber5.exeGet hashmaliciousBrowse
                                                                                      • 87.98.178.220
                                                                                      yzMDw6Bw7L.exeGet hashmaliciousBrowse
                                                                                      • 51.68.126.34
                                                                                      https://www.canva.com/design/DAEQhJJcWXg/K70jRsqdLH-IqE8UfZ1PJw/view?utm_content=DAEQhJJcWXg&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                                                                      • 192.99.201.26

                                                                                      JA3 Fingerprints

                                                                                      No context

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\S.O.A.exe.log
                                                                                      Process:C:\Users\user\Desktop\S.O.A.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1020
                                                                                      Entropy (8bit):5.261339593396354
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:MLF20NaL3z2p29hJ5g522rW2xAi3AP2a2+g2sj4Q:MwLLD2Y9h3go2rxxAcAO9+g2I4Q
                                                                                      MD5:B506BF0A409FDAC62C26AF6AF4049B35
                                                                                      SHA1:3C975128F5B6B4F905DFCFE75B27FE972197FACC
                                                                                      SHA-256:02B08BD5F7AB1F042C887A9EF22AF4A68970CA9FDE5F469DF62BAB460B2C2B10
                                                                                      SHA-512:9DD72E246DEA7907E3FBD3F4C2FE157F55CCC3DE3B3AC27695ED7A7D935BB1CE9D0CD94CF42BE830809396888E268C30CA50E974668603FFFE13F94A5CC0830A
                                                                                      Malicious:true
                                                                                      Reputation:low
                                                                                      Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\27ab8d047396db374abb803b446b76f0\System.Data.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\527c933194f3a99a816d83c619a3e1d3\System.Xml.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\22e1c794b1880570e2d8157de93393ec\Acces
                                                                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new
                                                                                      Process:C:\Users\user\Desktop\S.O.A.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):382
                                                                                      Entropy (8bit):3.0697294685057006
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:LlUfKtlMlW8hWIE5lOyAFMlcL5nXv4+lRqE1Xv4ylcL5BRpihS6Atl:YKtlkXhJakJkcL5nQa1Q2cL5BKhS6A
                                                                                      MD5:0A7E8FF5CC42C93E140D4A4DD65BA0C1
                                                                                      SHA1:81D72E7863D01822764B524A6E1882016E3240AA
                                                                                      SHA-256:2E72D7EDA4E3F8AFB59DECEC41B7A636E81BA6E315FC9DE8E7A5791418EF6DB2
                                                                                      SHA-512:C76E4A9DC20A782EE656CB7B0EAE5115566823964B2124BF2601202F5BDD75AB7DD2E28A831BF3E0D00991377BA90B9ED0AB286B4180409A8AA1D6ED55A19AB6
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview: ....b...............f.i.l.e.:./././.C.:./.U.s.e.r.s./.f.r.o.n.t.d.e.s.k./.D.e.s.k.t.o.p./.S...O...A...e.x.e.....P.o.l.i.c.y.S.t.a.t.e.m.e.n.t....v.e.r.s.i.o.n...1....P.e.r.m.i.s.s.i.o.n.S.e.t....c.l.a.s.s...S.y.s.t.e.m...S.e.c.u.r.i.t.y...P.e.r.m.i.s.s.i.o.n.S.e.t....v.e.r.s.i.o.n...1....U.n.r.e.s.t.r.i.c.t.e.d...t.r.u.e............................................b.U.,..........
                                                                                      C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new
                                                                                      Process:C:\Users\user\Desktop\S.O.A.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):382
                                                                                      Entropy (8bit):3.0697294685057006
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:LlUfKtlMlW8hWIE5lOyAFMlcL5nXv4+lRqE1Xv4ylcL5BRpihS6Atl:YKtlkXhJakJkcL5nQa1Q2cL5BKhS6A
                                                                                      MD5:0A7E8FF5CC42C93E140D4A4DD65BA0C1
                                                                                      SHA1:81D72E7863D01822764B524A6E1882016E3240AA
                                                                                      SHA-256:2E72D7EDA4E3F8AFB59DECEC41B7A636E81BA6E315FC9DE8E7A5791418EF6DB2
                                                                                      SHA-512:C76E4A9DC20A782EE656CB7B0EAE5115566823964B2124BF2601202F5BDD75AB7DD2E28A831BF3E0D00991377BA90B9ED0AB286B4180409A8AA1D6ED55A19AB6
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview: ....b...............f.i.l.e.:./././.C.:./.U.s.e.r.s./.f.r.o.n.t.d.e.s.k./.D.e.s.k.t.o.p./.S...O...A...e.x.e.....P.o.l.i.c.y.S.t.a.t.e.m.e.n.t....v.e.r.s.i.o.n...1....P.e.r.m.i.s.s.i.o.n.S.e.t....c.l.a.s.s...S.y.s.t.e.m...S.e.c.u.r.i.t.y...P.e.r.m.i.s.s.i.o.n.S.e.t....v.e.r.s.i.o.n...1....U.n.r.e.s.t.r.i.c.t.e.d...t.r.u.e............................................b.U.,..........

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Entropy (8bit):7.565918704481534
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                      • Windows Screen Saver (13104/52) 0.07%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                      File name:S.O.A.exe
                                                                                      File size:1101312
                                                                                      MD5:a6d0bfb43331260ddd40edf9e56c3ea7
                                                                                      SHA1:433fb43d945c7d9165f7fdc021ed183758a2e409
                                                                                      SHA256:72c0ad709b6103880afe20c11163d0c27180c8188a492dd424bc613d6bd78c34
                                                                                      SHA512:3c6f0cfc38dad995c35b2e2f41bd5b74e869f18218bc294e854f44f35ced16c42cff1950c43004a5e0f2b78669db40049a602903035b98d4e9cfbf8452f1e2f7
                                                                                      SSDEEP:12288:/fBHnyCWslmy/jT+D9jW1LU7vFLnuBDUZhvrXnOVvJgwdgl1zvQtG3+fVFn5ygaa:/fBHypyav0OhDkvJgwWl1Ua+H5JaO0a
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`5M...............P.................. ........@.. .......................@............@................................

                                                                                      File Icon

                                                                                      Icon Hash:00828e8e8686b000

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x50e39a
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                      Time Stamp:0xEA4D3560 [Sun Jul 25 20:34:40 2094 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:v2.0.50727
                                                                                      OS Version Major:4
                                                                                      OS Version Minor:0
                                                                                      File Version Major:4
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:4
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                                                      Instruction
                                                                                      jmp dword ptr [00402000h]
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x10e3480x4f.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1100000x5fc.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1120000xc.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x10e32c0x1c.text
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x20000x10c3a00x10c400False0.856658281396data7.57173107227IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0x1100000x5fc0x600False0.434244791667data4.20172696796IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .reloc0x1120000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                      NameRVASizeTypeLanguageCountry
                                                                                      RT_VERSION0x1100900x36cdata
                                                                                      RT_MANIFEST0x11040c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                      DLLImport
                                                                                      mscoree.dll_CorExeMain
                                                                                      DescriptionData
                                                                                      Translation0x0000 0x04b0
                                                                                      LegalCopyrightCopyright 2019
                                                                                      Assembly Version1.0.0.0
                                                                                      InternalNameCLRIReferenceArrayImpl.exe
                                                                                      FileVersion1.0.0.0
                                                                                      CompanyName
                                                                                      LegalTrademarks
                                                                                      Comments
                                                                                      ProductNameManageCustomers
                                                                                      ProductVersion1.0.0.0
                                                                                      FileDescriptionManageCustomers
                                                                                      OriginalFilenameCLRIReferenceArrayImpl.exe

                                                                                      Network Behavior

                                                                                      Network Port Distribution

                                                                                      • Total Packets: 37
                                                                                      • 587 undefined
                                                                                      • 53 (DNS)
                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Dec 21, 2020 07:29:37.698482037 CET49749587192.168.2.766.70.204.222
                                                                                      Dec 21, 2020 07:29:37.807070971 CET5874974966.70.204.222192.168.2.7
                                                                                      Dec 21, 2020 07:29:37.807200909 CET49749587192.168.2.766.70.204.222
                                                                                      Dec 21, 2020 07:29:38.050529957 CET49749587192.168.2.766.70.204.222
                                                                                      Dec 21, 2020 07:29:38.159693003 CET5874974966.70.204.222192.168.2.7
                                                                                      Dec 21, 2020 07:29:38.209640026 CET5874974966.70.204.222192.168.2.7
                                                                                      Dec 21, 2020 07:29:38.209669113 CET5874974966.70.204.222192.168.2.7
                                                                                      Dec 21, 2020 07:29:38.209805012 CET49749587192.168.2.766.70.204.222
                                                                                      Dec 21, 2020 07:29:38.209832907 CET49749587192.168.2.766.70.204.222
                                                                                      Dec 21, 2020 07:29:38.209861040 CET5874974966.70.204.222192.168.2.7
                                                                                      Dec 21, 2020 07:29:38.209922075 CET49749587192.168.2.766.70.204.222
                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Dec 21, 2020 07:27:52.289022923 CET5432953192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:27:52.302200079 CET53543298.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:27:53.117933989 CET5805253192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:27:53.130978107 CET53580528.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:27:54.132627964 CET5400853192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:27:54.145967960 CET53540088.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:27:55.058557034 CET5945153192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:27:55.071136951 CET53594518.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:27:55.904755116 CET5291453192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:27:55.917855024 CET53529148.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:27:56.721815109 CET6456953192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:27:56.734822035 CET53645698.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:28:01.968637943 CET5281653192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:28:01.981412888 CET53528168.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:28:03.176613092 CET5078153192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:28:03.191380024 CET53507818.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:28:04.121074915 CET5423053192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:28:04.134289980 CET53542308.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:28:05.933247089 CET5491153192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:28:05.945753098 CET53549118.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:28:06.820437908 CET4995853192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:28:06.832817078 CET53499588.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:28:07.977447033 CET5086053192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:28:07.990564108 CET53508608.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:28:08.847448111 CET5045253192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:28:08.860371113 CET53504528.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:28:17.051135063 CET5973053192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:28:17.069605112 CET53597308.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:28:17.841684103 CET5931053192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:28:17.853948116 CET53593108.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:28:19.961775064 CET5191953192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:28:19.981012106 CET53519198.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:28:35.542562962 CET6429653192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:28:35.556032896 CET53642968.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:28:36.036429882 CET5668053192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:28:36.049902916 CET53566808.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:28:36.572843075 CET5882053192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:28:36.585901022 CET53588208.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:28:36.822082996 CET6098353192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:28:36.849587917 CET53609838.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:28:36.905344963 CET4924753192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:28:36.917778969 CET53492478.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:28:37.263159990 CET5228653192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:28:37.276391983 CET53522868.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:28:37.649713039 CET5606453192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:28:37.663129091 CET53560648.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:28:38.246721029 CET6374453192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:28:38.259975910 CET53637448.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:28:38.832082033 CET6145753192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:28:38.845065117 CET53614578.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:28:39.496973038 CET5836753192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:28:39.510225058 CET53583678.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:28:39.876485109 CET6059953192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:28:39.889894962 CET53605998.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:28:41.710395098 CET5957153192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:28:41.744457006 CET53595718.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:28:45.921905041 CET5268953192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:28:45.941211939 CET53526898.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:29:25.710177898 CET5029053192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:29:25.722743034 CET53502908.8.8.8192.168.2.7
                                                                                      Dec 21, 2020 07:29:37.638143063 CET6042753192.168.2.78.8.8.8
                                                                                      Dec 21, 2020 07:29:37.668183088 CET53604278.8.8.8192.168.2.7

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                      Dec 21, 2020 07:29:37.638143063 CET192.168.2.78.8.8.80x93c0Standard query (0)mail.hybridgroupco.comA (IP address)IN (0x0001)

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                      Dec 21, 2020 07:29:37.668183088 CET8.8.8.8192.168.2.70x93c0No error (0)mail.hybridgroupco.comhybridgroupco.comCNAME (Canonical name)IN (0x0001)
                                                                                      Dec 21, 2020 07:29:37.668183088 CET8.8.8.8192.168.2.70x93c0No error (0)hybridgroupco.com66.70.204.222A (IP address)IN (0x0001)

                                                                                      SMTP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                                                      Dec 21, 2020 07:29:38.209640026 CET5874974966.70.204.222192.168.2.7220-host.theserver.live ESMTP Exim 4.93 #2 Mon, 21 Dec 2020 10:29:38 +0400
                                                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                                                      220 and/or bulk e-mail.
                                                                                      Dec 21, 2020 07:29:38.209669113 CET5874974966.70.204.222192.168.2.7421 host.theserver.live lost input connection

                                                                                      Code Manipulations

                                                                                      Statistics

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      Analysis Process: S.O.A.exe PID: 5332 Parent PID: 5704

                                                                                      General

                                                                                      Start time:07:27:56
                                                                                      Start date:21/12/2020
                                                                                      Path:C:\Users\user\Desktop\S.O.A.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\user\Desktop\S.O.A.exe'
                                                                                      Imagebase:0xc40000
                                                                                      File size:1101312 bytes
                                                                                      MD5 hash:A6D0BFB43331260DDD40EDF9E56C3EA7
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.246901436.0000000004411000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.246366322.0000000003411000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      Reputation:low
                                                                                      Show Windows behavior

                                                                                      File Activities

                                                                                      Analysis Process: S.O.A.exe PID: 5752 Parent PID: 5332

                                                                                      General

                                                                                      Start time:07:28:05
                                                                                      Start date:21/12/2020
                                                                                      Path:C:\Users\user\Desktop\S.O.A.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\Desktop\S.O.A.exe
                                                                                      Imagebase:0x5f0000
                                                                                      File size:1101312 bytes
                                                                                      MD5 hash:A6D0BFB43331260DDD40EDF9E56C3EA7
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.575043242.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.580495926.0000000002DD0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.580160688.0000000002D51000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.580160688.0000000002D51000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      Reputation:low
                                                                                      Show Windows behavior

                                                                                      File Activities

                                                                                      Disassembly

                                                                                      Code Analysis