Windows Analysis Report
SOA SEP 2024.exe

Overview

General Information

Sample name: SOA SEP 2024.exe
Analysis ID: 1560694
MD5: 3463c053c39de2170aa78b8aa253e999
SHA1: e40e4169c635a3a34acb63928ad2ce89089a52fe
SHA256: 4b53b5e5756b9b3f43e32650b65590d0fe529e653a469b361df4bcf710b4e943
Tags: exeRedLineStealeruser-lowmal3
Infos:

Detection

PureLog Stealer, Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected Snake Keylogger
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Found malware configuration
Source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7399492470:AAF1Q52TLq6uEICFiCVrLu9dpROnjh2wukI/sendMessage?chat_id=1443320838", "Token": "7399492470:AAF1Q52TLq6uEICFiCVrLu9dpROnjh2wukI", "Chat_id": "1443320838", "Version": "5.1"}
Multi AV Scanner detection for submitted file
Source: SOA SEP 2024.exe ReversingLabs: Detection: 31%
Source: SOA SEP 2024.exe Virustotal: Detection: 27% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: SOA SEP 2024.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: SOA SEP 2024.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49705 version: TLS 1.0
Source: Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: SOA SEP 2024.exe, 00000000.00000003.2096647600.0000000003690000.00000004.00001000.00020000.00000000.sdmp, SOA SEP 2024.exe, 00000000.00000003.2096906807.00000000034F0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: SOA SEP 2024.exe, 00000000.00000003.2096647600.0000000003690000.00000004.00001000.00020000.00000000.sdmp, SOA SEP 2024.exe, 00000000.00000003.2096906807.00000000034F0000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007A6CA9 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_007A6CA9
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007A60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose, 0_2_007A60DD
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007A63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose, 0_2_007A63F9
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007AEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_007AEB60
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007AF56F FindFirstFileW,FindClose, 0_2_007AF56F
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007AF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_007AF5FA
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007B1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_007B1B2F
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007B1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_007B1C8A
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007B1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_007B1F94
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 2_2_02DCE128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BAB781h 2_2_06BAB4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BA045Dh 2_2_06BA0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BACD39h 2_2_06BACA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BAD191h 2_2_06BACEE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BAC8E1h 2_2_06BAC638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BAF8A9h 2_2_06BAF600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BADA41h 2_2_06BAD798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BA045Dh 2_2_06BA038B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BADE99h 2_2_06BADBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BAAA79h 2_2_06BAA7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BAA1C9h 2_2_06BA9F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BAA621h 2_2_06BAA378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BAD5E9h 2_2_06BAD340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BAE749h 2_2_06BAE4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BAB329h 2_2_06BAB080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BAEBA1h 2_2_06BAE8F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BAAED1h 2_2_06BAAC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BA045Dh 2_2_06BA0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BAE2F1h 2_2_06BAE048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BAF451h 2_2_06BAF1A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BAC031h 2_2_06BABD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BAC489h 2_2_06BAC1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BABBD9h 2_2_06BAB930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BAEFF9h 2_2_06BAED50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BC58C1h 2_2_06BC5618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BC77E5h 2_2_06BC74A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BC619Ah 2_2_06BC5EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BC6A49h 2_2_06BC67A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BC4761h 2_2_06BC44B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 2_2_06BC256E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BC5011h 2_2_06BC4D68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BC8322h 2_2_06BC8278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BC5D19h 2_2_06BC5A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BC8322h 2_2_06BC8270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 2_2_06BC2258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 2_2_06BC2247
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BC6EA1h 2_2_06BC6BF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BC65F1h 2_2_06BC6348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BC42E1h 2_2_06BC4038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BC72F9h 2_2_06BC7050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BC5469h 2_2_06BC51C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06BC4BB9h 2_2_06BC4910

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5750000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4175570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.67.152 104.21.67.152
Source: Joe Sandbox View IP Address: 193.122.130.0 193.122.130.0
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49707 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49709 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49706 -> 104.21.67.152:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49705 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007B4EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 0_2_007B4EB5
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.4553786112.00000000032A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.0000000003340000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.0000000003359000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000002.00000002.4553786112.00000000032A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.0000000003340000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.0000000003359000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.00000000032F4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.0000000003294000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.4553786112.00000000031D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.4553786112.0000000003340000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.00000000032CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.4553786112.00000000031D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.4553786112.00000000032A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.0000000003340000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.00000000032F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.4553786112.00000000032A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000002.00000002.4553786112.00000000032F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
Source: RegSvcs.exe, 00000002.00000002.4553786112.0000000003340000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.00000000032F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75$
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007B6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_007B6B0C
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007B6D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_007B6D07
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007B6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_007B6B0C
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007A2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 0_2_007A2B37
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007CF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_007CF7FF

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.SOA SEP 2024.exe.6c0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.5750000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.5750000.7.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.5750000.7.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.5750000.7.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.4175570.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.4175570.5.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.4175570.5.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.4175570.5.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.2ee4ee6.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2ee4ee6.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2ee4ee6.2.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.2ee4ee6.2.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.5750000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.5750000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.5750000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.5750000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.5650000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.5650000.6.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.5650000.6.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.5650000.6.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.4175570.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.4175570.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.4175570.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.4175570.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.2ee5dce.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2ee5dce.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2ee5dce.1.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.2ee5dce.1.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.5750ee8.8.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.5750ee8.8.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.5750ee8.8.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.5750ee8.8.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.41a9590.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.41a9590.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.41a9590.3.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.41a9590.3.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2102007208.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.4552483120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 1560, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 1560, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: This is a third-party compiled AutoIt script. 0_2_00763D19
Source: SOA SEP 2024.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: SOA SEP 2024.exe, 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_ae532dc0-1
Source: SOA SEP 2024.exe, 00000000.00000002.2102106470.000000000080E000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: ySDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_9f3682b0-c
Source: SOA SEP 2024.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_2804b69f-a
Source: SOA SEP 2024.exe String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_199655e8-2
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007A6606: CreateFileW,DeviceIoControl,CloseHandle, 0_2_007A6606
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_0079ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_0079ACC5
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007A79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_007A79D3
Detected potential crypto function
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_0078B043 0_2_0078B043
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_0079410F 0_2_0079410F
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007802A4 0_2_007802A4
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_0076E3E3 0_2_0076E3E3
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_0079038E 0_2_0079038E
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_0079467F 0_2_0079467F
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007806D9 0_2_007806D9
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007CAACE 0_2_007CAACE
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_00794BEF 0_2_00794BEF
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_0078CCC1 0_2_0078CCC1
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_0076AF50 0_2_0076AF50
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_00766F07 0_2_00766F07
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_0077B11F 0_2_0077B11F
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007C31BC 0_2_007C31BC
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_0078D1B9 0_2_0078D1B9
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_0079724D 0_2_0079724D
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_0078123A 0_2_0078123A
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_00773200 0_2_00773200
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007693F0 0_2_007693F0
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007A13CA 0_2_007A13CA
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_0077F563 0_2_0077F563
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007AB6CC 0_2_007AB6CC
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007696C0 0_2_007696C0
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007CF7FF 0_2_007CF7FF
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007677B0 0_2_007677B0
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007979C9 0_2_007979C9
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_0077FA57 0_2_0077FA57
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_00773B70 0_2_00773B70
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_00769B60 0_2_00769B60
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_00767D19 0_2_00767D19
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_0077FE6F 0_2_0077FE6F
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_00789ED0 0_2_00789ED0
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_00767FA3 0_2_00767FA3
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_00D695C0 0_2_00D695C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00408C60 2_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0040DC11 2_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00407C3F 2_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00418CCC 2_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00406CA0 2_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_004028B0 2_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0041A4BE 2_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00418244 2_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00401650 2_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00402F20 2_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_004193C4 2_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00418788 2_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00402F89 2_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00402B90 2_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_004073A0 2_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_02DC12C0 2_2_02DC12C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_02DC12B0 2_2_02DC12B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_02DC1550 2_2_02DC1550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_02DC1560 2_2_02DC1560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BA22A8 2_2_06BA22A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BA6E98 2_2_06BA6E98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BA67C8 2_2_06BA67C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAB4D8 2_2_06BAB4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BA229A 2_2_06BA229A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BACA90 2_2_06BACA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BACA82 2_2_06BACA82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BACEE8 2_2_06BACEE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BACEDC 2_2_06BACEDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAC638 2_2_06BAC638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAC62A 2_2_06BAC62A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BA5E20 2_2_06BA5E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BA5E10 2_2_06BA5E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAF600 2_2_06BAF600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAD798 2_2_06BAD798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAD792 2_2_06BAD792
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BADBF0 2_2_06BADBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BADBE4 2_2_06BADBE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAA7D0 2_2_06BAA7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAA7C0 2_2_06BAA7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAD330 2_2_06BAD330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BA9F20 2_2_06BA9F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BA9F0F 2_2_06BA9F0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAA378 2_2_06BAA378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAA36A 2_2_06BAA36A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAD340 2_2_06BAD340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAE4A0 2_2_06BAE4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAE490 2_2_06BAE490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAB080 2_2_06BAB080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAE8F8 2_2_06BAE8F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAE8E8 2_2_06BAE8E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAB4C8 2_2_06BAB4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAE039 2_2_06BAE039
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAAC28 2_2_06BAAC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAAC19 2_2_06BAAC19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAB070 2_2_06BAB070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAE048 2_2_06BAE048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BA65A8 2_2_06BA65A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAF1A8 2_2_06BAF1A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAF198 2_2_06BAF198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BABD88 2_2_06BABD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAF5F0 2_2_06BAF5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAC1E0 2_2_06BAC1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAC1D0 2_2_06BAC1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAB930 2_2_06BAB930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAB920 2_2_06BAB920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BABD78 2_2_06BABD78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAED50 2_2_06BAED50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BAED40 2_2_06BAED40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BCA6B0 2_2_06BCA6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BCC6B0 2_2_06BCC6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC5618 2_2_06BC5618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC74A8 2_2_06BC74A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BCAD18 2_2_06BCAD18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC9388 2_2_06BC9388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BCB380 2_2_06BCB380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC7B00 2_2_06BC7B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BCA050 2_2_06BCA050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BCC050 2_2_06BCC050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC0040 2_2_06BC0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC99F0 2_2_06BC99F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BCB9E8 2_2_06BCB9E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC16B8 2_2_06BC16B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC16A7 2_2_06BC16A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BCA6A0 2_2_06BCA6A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC5EF0 2_2_06BC5EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC5EE1 2_2_06BC5EE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC5608 2_2_06BC5608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC67A0 2_2_06BC67A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC6790 2_2_06BC6790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC44B8 2_2_06BC44B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC44A8 2_2_06BC44A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC7499 2_2_06BC7499
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC25D0 2_2_06BC25D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BCAD0A 2_2_06BCAD0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC4D68 2_2_06BC4D68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC4D58 2_2_06BC4D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC7AF0 2_2_06BC7AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC32D0 2_2_06BC32D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC5A70 2_2_06BC5A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC5A60 2_2_06BC5A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC2258 2_2_06BC2258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC2247 2_2_06BC2247
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC6BF8 2_2_06BC6BF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC6BE9 2_2_06BC6BE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC6339 2_2_06BC6339
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC9378 2_2_06BC9378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BCB370 2_2_06BCB370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC6348 2_2_06BC6348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC4038 2_2_06BC4038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC4028 2_2_06BC4028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC7050 2_2_06BC7050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC7040 2_2_06BC7040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BCA040 2_2_06BCA040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BCC040 2_2_06BCC040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC51B1 2_2_06BC51B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC99E2 2_2_06BC99E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BCB9D7 2_2_06BCB9D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC51C0 2_2_06BC51C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC4910 2_2_06BC4910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BC4900 2_2_06BC4900
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: String function: 0077EC2F appears 68 times
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: String function: 0078F8A0 appears 35 times
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: String function: 00786AC0 appears 42 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 0040E1D8 appears 44 times
Sample file is different than original file name gathered from version info
Source: SOA SEP 2024.exe, 00000000.00000003.2096072898.0000000003613000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs SOA SEP 2024.exe
Source: SOA SEP 2024.exe, 00000000.00000003.2097026105.00000000037BD000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs SOA SEP 2024.exe
Source: SOA SEP 2024.exe, 00000000.00000002.2102007208.00000000006C0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs SOA SEP 2024.exe
Uses 32bit PE files
Source: SOA SEP 2024.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.SOA SEP 2024.exe.6c0000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.5750000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.5750000.7.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.5750000.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.5750000.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.4175570.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.4175570.5.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.4175570.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.4175570.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.2ee4ee6.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2ee4ee6.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2ee4ee6.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.2ee4ee6.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.5750000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.5750000.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.5750000.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.5750000.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.5650000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.5650000.6.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.5650000.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.5650000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.4175570.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.4175570.5.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.4175570.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.4175570.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.2ee5dce.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2ee5dce.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2ee5dce.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.2ee5dce.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.5750ee8.8.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.5750ee8.8.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.5750ee8.8.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.5750ee8.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.41a9590.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.41a9590.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.41a9590.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.41a9590.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2102007208.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.4552483120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 1560, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 1560, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, 2-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, 2-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, ---.cs Base64 encoded string: 'tPa5k5FJD4dSXw0EqQ2lIcLtrXnSHhm60gt1D+3WpsNqPxTv3g1y5+EIwUawZGy8'
Source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, ---.cs Base64 encoded string: 'tPa5k5FJD4dSXw0EqQ2lIcLtrXnSHhm60gt1D+3WpsNqPxTv3g1y5+EIwUawZGy8'
Source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, ---.cs Base64 encoded string: 'tPa5k5FJD4dSXw0EqQ2lIcLtrXnSHhm60gt1D+3WpsNqPxTv3g1y5+EIwUawZGy8'
Source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, ---.cs Base64 encoded string: 'tPa5k5FJD4dSXw0EqQ2lIcLtrXnSHhm60gt1D+3WpsNqPxTv3g1y5+EIwUawZGy8'
Source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, ---.cs Base64 encoded string: 'tPa5k5FJD4dSXw0EqQ2lIcLtrXnSHhm60gt1D+3WpsNqPxTv3g1y5+EIwUawZGy8'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/2@2/2
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007ACE7A GetLastError,FormatMessageW, 0_2_007ACE7A
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_0079AB84 AdjustTokenPrivileges,CloseHandle, 0_2_0079AB84
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_0079B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_0079B134
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007AE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_007AE1FD
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007A6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle, 0_2_007A6532
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007BC18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket, 0_2_007BC18C
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_0076406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_0076406B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Mutant created: NULL
Source: C:\Users\user\Desktop\SOA SEP 2024.exe File created: C:\Users\user\AppData\Local\Temp\aut6260.tmp Jump to behavior
Source: SOA SEP 2024.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RegSvcs.exe, 00000002.00000002.4553786112.00000000033DA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.0000000003410000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4555060395.0000000004266000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.00000000033CB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.000000000341D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553786112.00000000033E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: SOA SEP 2024.exe ReversingLabs: Detection: 31%
Source: SOA SEP 2024.exe Virustotal: Detection: 27%
Source: unknown Process created: C:\Users\user\Desktop\SOA SEP 2024.exe "C:\Users\user\Desktop\SOA SEP 2024.exe"
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\SOA SEP 2024.exe"
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\SOA SEP 2024.exe" Jump to behavior
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: SOA SEP 2024.exe Static file information: File size 1146368 > 1048576
Source: SOA SEP 2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SOA SEP 2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SOA SEP 2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SOA SEP 2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SOA SEP 2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SOA SEP 2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SOA SEP 2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: SOA SEP 2024.exe, 00000000.00000003.2096647600.0000000003690000.00000004.00001000.00020000.00000000.sdmp, SOA SEP 2024.exe, 00000000.00000003.2096906807.00000000034F0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: SOA SEP 2024.exe, 00000000.00000003.2096647600.0000000003690000.00000004.00001000.00020000.00000000.sdmp, SOA SEP 2024.exe, 00000000.00000003.2096906807.00000000034F0000.00000004.00001000.00020000.00000000.sdmp
Source: SOA SEP 2024.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SOA SEP 2024.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SOA SEP 2024.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SOA SEP 2024.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SOA SEP 2024.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_0077E01E LoadLibraryA,GetProcAddress, 0_2_0077E01E
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_0077288B push 66007723h; retn 007Dh 0_2_007728E1
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_00786B05 push ecx; ret 0_2_00786B18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0041C40C push cs; iretd 2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00423149 push eax; ret 2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0041C50E push cs; iretd 2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_004231C8 push eax; ret 2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0040E21D push ecx; ret 2_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0041C6BE push ebx; ret 2_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0041BFCD pushad ; ret 2_2_0041BFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_02DC4771 pushfd ; iretd 2_2_02DC4772
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_02DC2720 push FFFFFF9Eh; iretd 2_2_02DC2724
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BCE48F push es; retf 2_2_06BCE490
Source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'lXmeqrAKqylJZ', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'lXmeqrAKqylJZ', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'lXmeqrAKqylJZ', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'lXmeqrAKqylJZ', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'lXmeqrAKqylJZ', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007C8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_007C8111
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_0077EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_0077EB42
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_0078123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0078123A
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 1560, type: MEMORYSTR
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\SOA SEP 2024.exe API/Special instruction interceptor: Address: D691E4
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 2_2_004019F0
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599782 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599657 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599532 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598938 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598594 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595113 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 593985 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 1515 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 8302 Jump to behavior
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Evaded block: after key decision
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SOA SEP 2024.exe API coverage: 4.4 %
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007A6CA9 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_007A6CA9
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007A60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose, 0_2_007A60DD
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007A63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose, 0_2_007A63F9
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007AEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_007AEB60
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007AF56F FindFirstFileW,FindClose, 0_2_007AF56F
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007AF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_007AF5FA
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007B1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_007B1B2F
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007B1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_007B1C8A
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007B1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_007B1F94
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_0077DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0077DDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599782 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599657 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599532 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598938 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598594 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595113 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 593985 Jump to behavior
Source: RegSvcs.exe, 00000002.00000002.4553026302.0000000001436000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe API call chain: ExitProcess graph end node
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007B6AAF BlockInput, 0_2_007B6AAF
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_00763D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00763D19
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_00793920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW, 0_2_00793920
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 2_2_004019F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_0077E01E LoadLibraryA,GetProcAddress, 0_2_0077E01E
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_00D694B0 mov eax, dword ptr fs:[00000030h] 0_2_00D694B0
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_00D69450 mov eax, dword ptr fs:[00000030h] 0_2_00D69450
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_00D67E30 mov eax, dword ptr fs:[00000030h] 0_2_00D67E30
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_0079A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_0079A66C
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007881AC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_007881AC
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_00788189 SetUnhandledExceptionFilter, 0_2_00788189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_004123F1 SetUnhandledExceptionFilter, 2_2_004123F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F3E008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_0079B106 LogonUserW, 0_2_0079B106
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_00763D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00763D19
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007A411C SendInput,keybd_event, 0_2_007A411C
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007A74E7 mouse_event, 0_2_007A74E7
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\SOA SEP 2024.exe" Jump to behavior
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_0079A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_0079A66C
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007A71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_007A71FA
Source: SOA SEP 2024.exe Binary or memory string: Shell_TrayWnd
Source: SOA SEP 2024.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007865C4 cpuid 0_2_007865C4
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: GetLocaleInfoA, 2_2_00417A20
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007B091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW, 0_2_007B091D
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007DB340 GetUserNameW, 0_2_007DB340
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_00791E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_00791E8E
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_0077DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0077DDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 2.2.RegSvcs.exe.5750000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4175570.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2ee4ee6.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5750000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5650000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4175570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2ee5dce.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5750ee8.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.41a9590.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Yara detected Snake Keylogger
Source: Yara match File source: 2.2.RegSvcs.exe.5750000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4175570.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2ee4ee6.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5750000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5650000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4175570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2ee5dce.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5750ee8.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.41a9590.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.4553786112.0000000003359000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4553786112.00000000031D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 1560, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: SOA SEP 2024.exe Binary or memory string: WIN_81
Source: SOA SEP 2024.exe Binary or memory string: WIN_XP
Source: SOA SEP 2024.exe Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: SOA SEP 2024.exe Binary or memory string: WIN_XPe
Source: SOA SEP 2024.exe Binary or memory string: WIN_VISTA
Source: SOA SEP 2024.exe Binary or memory string: WIN_7
Source: SOA SEP 2024.exe Binary or memory string: WIN_8
Yara detected Credential Stealer
Source: Yara match File source: 2.2.RegSvcs.exe.5750000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4175570.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2ee4ee6.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5750000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5650000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4175570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2ee5dce.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5750ee8.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.41a9590.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 1560, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 2.2.RegSvcs.exe.5750000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4175570.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2ee4ee6.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5750000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5650000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4175570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2ee5dce.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5750ee8.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.41a9590.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Yara detected Snake Keylogger
Source: Yara match File source: 2.2.RegSvcs.exe.5750000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4175570.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2ee4ee6.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2ee4ee6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5650000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.41a9590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5750000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5650000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5750ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4175570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2ee5dce.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5750ee8.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.41a9590.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2ee5dce.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.4553786112.0000000003359000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4555400632.0000000005750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4555060395.0000000004171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4555306563.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4553461018.0000000002EA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4553786112.00000000031D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 1560, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007B8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 0_2_007B8C4F
Source: C:\Users\user\Desktop\SOA SEP 2024.exe Code function: 0_2_007B923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_007B923B
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.67.152
 reallyfreegeoip.org United States
13335 CLOUDFLARENETUS false
193.122.130.0
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false

Contacted Domains

Name IP Active
reallyfreegeoip.org 104.21.67.152 true
checkip.dyndns.com 193.122.130.0 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
    		high
    https://reallyfreegeoip.org/xml/8.46.123.75 false
      		high