Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PENDING PAYMENT FOR March SOA.exe

Overview

General Information

Sample name:PENDING PAYMENT FOR March SOA.exe
Analysis ID:1636128
MD5:786cc8e0779c5ee6d1c4190a1a24be6d
SHA1:c3291781baf1ba8c8add51502f984861ab0f37ba
SHA256:e43126516cb07aed914aae46c6619db608a984d878ac57d515e8cfd85e696ad3
Tags:exeuser-lowmal3
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Snake Keylogger
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Sample uses string decryption to hide its real strings
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7922655426:AAFVRqVw9pB4VZ3uipJRDfn5kD08nswJtAk/sendMessage?chat_id=7854955274", "Token": "7922655426:AAFVRqVw9pB4VZ3uipJRDfn5kD08nswJtAk", "Chat_id": "7854955274", "Version": "5.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.3767859963.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000001.00000002.3767859963.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000001.00000002.3767859963.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x1490e:$a1: get_encryptedPassword
      • 0x14bfa:$a2: get_encryptedUsername
      • 0x1471a:$a3: get_timePasswordChanged
      • 0x14815:$a4: get_passwordField
      • 0x14924:$a5: set_encryptedPassword
      • 0x15fab:$a7: get_logins
      • 0x15f0e:$a10: KeyLoggerEventArgs
      • 0x15b79:$a11: KeyLoggerEventArgsEventHandler
      00000001.00000002.3767859963.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
      • 0x1988c:$x1: $%SMTPDV$
      • 0x18270:$x2: $#TheHashHere%&
      • 0x19834:$x3: %FTPDV$
      • 0x18210:$x4: $%TelegramDv$
      • 0x15b79:$x5: KeyLoggerEventArgs
      • 0x15f0e:$x5: KeyLoggerEventArgs
      • 0x19858:$m2: Clipboard Logs ID
      • 0x19a96:$m2: Screenshot Logs ID
      • 0x19ba6:$m2: keystroke Logs ID
      • 0x19e80:$m3: SnakePW
      • 0x19a6e:$m4: \SnakeKeylogger\
      00000001.00000002.3769862378.0000000003105000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
        Click to see the 14 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0x12d0e:$a1: get_encryptedPassword
            • 0x12ffa:$a2: get_encryptedUsername
            • 0x12b1a:$a3: get_timePasswordChanged
            • 0x12c15:$a4: get_passwordField
            • 0x12d24:$a5: set_encryptedPassword
            • 0x143ab:$a7: get_logins
            • 0x1430e:$a10: KeyLoggerEventArgs
            • 0x13f79:$a11: KeyLoggerEventArgsEventHandler
            0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
            • 0x1a642:$a2: \Comodo\Dragon\User Data\Default\Login Data
            • 0x19874:$a3: \Google\Chrome\User Data\Default\Login Data
            • 0x19ca7:$a4: \Orbitum\User Data\Default\Login Data
            • 0x1ace6:$a5: \Kometa\User Data\Default\Login Data
            0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
            • 0x138e3:$s1: UnHook
            • 0x138ea:$s2: SetHook
            • 0x138f2:$s3: CallNextHook
            • 0x138ff:$s4: _hook
            Click to see the 23 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-12T12:36:26.141810+010028033053Unknown Traffic192.168.2.549711104.21.64.1443TCP
            2025-03-12T12:36:29.036175+010028033053Unknown Traffic192.168.2.549713104.21.64.1443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-12T12:36:20.479018+010028032742Potentially Bad Traffic192.168.2.549709132.226.247.7380TCP
            2025-03-12T12:36:23.947773+010028032742Potentially Bad Traffic192.168.2.549709132.226.247.7380TCP
            2025-03-12T12:36:26.869609+010028032742Potentially Bad Traffic192.168.2.549712132.226.247.7380TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: PENDING PAYMENT FOR March SOA.exeAvira: detected
            Found malware configuration
            Source: 00000000.00000002.1306205450.0000000003918000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7922655426:AAFVRqVw9pB4VZ3uipJRDfn5kD08nswJtAk/sendMessage?chat_id=7854955274", "Token": "7922655426:AAFVRqVw9pB4VZ3uipJRDfn5kD08nswJtAk", "Chat_id": "7854955274", "Version": "5.1"}
            Multi AV Scanner detection for submitted file
            Source: PENDING PAYMENT FOR March SOA.exeVirustotal: Detection: 46%Perma Link
            Source: PENDING PAYMENT FOR March SOA.exeReversingLabs: Detection: 28%
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Sample uses string decryption to hide its real strings
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.raw.unpackString decryptor:
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.raw.unpackString decryptor: 7922655426:AAFVRqVw9pB4VZ3uipJRDfn5kD08nswJtAk
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.raw.unpackString decryptor: 7854955274
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.raw.unpackString decryptor:
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.raw.unpackString decryptor: 7922655426:AAFVRqVw9pB4VZ3uipJRDfn5kD08nswJtAk
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.raw.unpackString decryptor: 7854955274

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: PENDING PAYMENT FOR March SOA.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49710 version: TLS 1.0
            Source: PENDING PAYMENT FOR March SOA.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 4x nop then jmp 0140F1F6h1_2_0140F007
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 4x nop then jmp 0140FB80h1_2_0140F007
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h1_2_0140E528
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h1_2_0140EB5B
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h1_2_0140ED3C
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 4x nop then jmp 05611471h1_2_056111C0
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 4x nop then jmp 056102F1h1_2_05610040
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 4x nop then jmp 05611A38h1_2_05611620
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 4x nop then jmp 0561CD49h1_2_0561CAA0
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 4x nop then jmp 05611011h1_2_05610D60
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 4x nop then jmp 0561F009h1_2_0561ED60
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 4x nop then jmp 05611A38h1_2_05611966
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 4x nop then jmp 0561BBE9h1_2_0561B940
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 4x nop then jmp 05610BB1h1_2_05610900
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 4x nop then jmp 0561EBB1h1_2_0561E908
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 4x nop then jmp 0561C499h1_2_0561C1F0
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 4x nop then jmp 0561F461h1_2_0561F1B8
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 4x nop then jmp 0561C041h1_2_0561BD98
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 4x nop then jmp 0561E301h1_2_0561E058
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 4x nop then jmp 0561DEA9h1_2_0561DC00
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 4x nop then jmp 0561B791h1_2_0561B4E8
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 4x nop then jmp 05610751h1_2_056104A0
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 4x nop then jmp 0561E759h1_2_0561E4B0
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 4x nop then jmp 0561D5F9h1_2_0561D350
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 4x nop then jmp 0561DA51h1_2_0561D7A8
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 4x nop then jmp 0561FD11h1_2_0561FA68
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 4x nop then jmp 0561C8F1h1_2_0561C648
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 4x nop then jmp 0561F8B9h1_2_0561F610
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 4x nop then jmp 0561D1A1h1_2_0561CEF8
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
            Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
            Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49712 -> 132.226.247.73:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49709 -> 132.226.247.73:80
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49711 -> 104.21.64.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49713 -> 104.21.64.1:443
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49710 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.0000000002FFF000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.00000000030F7000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.00000000030E9000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.000000000309F000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.00000000030BB000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.0000000003092000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.00000000030AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
            Source: PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.0000000002FFF000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.00000000030F7000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.00000000030E9000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.000000000309F000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.00000000030BB000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.0000000003042000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.0000000003092000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.00000000030AD000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.00000000030C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: PENDING PAYMENT FOR March SOA.exe, 00000000.00000002.1306205450.0000000003918000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3767859963.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
            Source: PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.00000000030F7000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.00000000030E9000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.000000000309F000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.0000000003017000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.00000000030BB000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.0000000003092000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.00000000030AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
            Source: PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.0000000002FFF000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.00000000030F7000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.00000000030E9000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.000000000309F000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.00000000030BB000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.0000000003042000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.0000000003092000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.00000000030AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: PENDING PAYMENT FOR March SOA.exe, 00000000.00000002.1306205450.0000000003918000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.0000000002FFF000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3767859963.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.00000000030AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
            Source: PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.00000000030F7000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.00000000030E9000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.000000000309F000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.00000000030BB000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.0000000003042000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.0000000003092000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.00000000030AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
            Source: PENDING PAYMENT FOR March SOA.exeString found in binary or memory: https://www.google.com/?Please
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
            Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
            Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
            Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 1.2.PENDING PAYMENT FOR March SOA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 1.2.PENDING PAYMENT FOR March SOA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 1.2.PENDING PAYMENT FOR March SOA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 1.2.PENDING PAYMENT FOR March SOA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000001.00000002.3767859963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000001.00000002.3767859963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000000.00000002.1306205450.0000000003918000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000000.00000002.1306205450.0000000003918000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: PENDING PAYMENT FOR March SOA.exe PID: 8368, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: PENDING PAYMENT FOR March SOA.exe PID: 8368, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: PENDING PAYMENT FOR March SOA.exe PID: 8416, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: PENDING PAYMENT FOR March SOA.exe PID: 8416, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: PENDING PAYMENT FOR March SOA.exe
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 0_2_028D42100_2_028D4210
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 0_2_028D80D90_2_028D80D9
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 0_2_05B455680_2_05B45568
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 0_2_05B448380_2_05B44838
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 0_2_05B49B500_2_05B49B50
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 0_2_05B4AA180_2_05B4AA18
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 0_2_05B455F00_2_05B455F0
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 0_2_05B477BF0_2_05B477BF
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 0_2_05B477D00_2_05B477D0
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 0_2_05B764240_2_05B76424
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 0_2_05B76F880_2_05B76F88
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 0_2_06FB67A80_2_06FB67A8
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 0_2_06FB67970_2_06FB6797
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 0_2_06FB55080_2_06FB5508
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 0_2_06FBB2280_2_06FBB228
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 0_2_06FB50D00_2_06FB50D0
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 0_2_06FB4C980_2_06FB4C98
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 0_2_06FB4C880_2_06FB4C88
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 0_2_06FBCAC80_2_06FBCAC8
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 0_2_06FB48600_2_06FB4860
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_014061081_2_01406108
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0140C1901_2_0140C190
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0140F0071_2_0140F007
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0140B3281_2_0140B328
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0140C4701_2_0140C470
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0140C7521_2_0140C752
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_014098581_2_01409858
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_014068801_2_01406880
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0140BBD21_2_0140BBD2
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0140CA321_2_0140CA32
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_01404AD91_2_01404AD9
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0140BEB01_2_0140BEB0
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_014035721_2_01403572
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0140E5171_2_0140E517
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0140E5281_2_0140E528
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0140B4F21_2_0140B4F2
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_056111C01_2_056111C0
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_05617D901_2_05617D90
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_056184601_2_05618460
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_056138701_2_05613870
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_056100401_2_05610040
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561CAA01_2_0561CAA0
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_05610D601_2_05610D60
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561ED601_2_0561ED60
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561B9401_2_0561B940
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_05610D511_2_05610D51
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561ED501_2_0561ED50
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561B9301_2_0561B930
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_056109001_2_05610900
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561E9081_2_0561E908
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561C1E01_2_0561C1E0
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561C1F01_2_0561C1F0
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561F1A91_2_0561F1A9
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_056111B01_2_056111B0
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561F1B81_2_0561F1B8
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561BD881_2_0561BD88
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561BD981_2_0561BD98
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_056138601_2_05613860
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561E0491_2_0561E049
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561E0581_2_0561E058
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561DC001_2_0561DC00
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_056100061_2_05610006
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561B4E81_2_0561B4E8
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_056108F01_2_056108F0
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561E8F81_2_0561E8F8
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561B4D71_2_0561B4D7
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_056104A01_2_056104A0
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561E4A01_2_0561E4A0
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561E4B01_2_0561E4B0
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_056104901_2_05610490
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561D3401_2_0561D340
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561D3501_2_0561D350
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_056173E81_2_056173E8
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561DBF11_2_0561DBF1
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561D7A81_2_0561D7A8
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561D7981_2_0561D798
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561FA681_2_0561FA68
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561C6481_2_0561C648
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561FA591_2_0561FA59
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561C6381_2_0561C638
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561F6001_2_0561F600
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561F6101_2_0561F610
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561CEEA1_2_0561CEEA
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561CEF81_2_0561CEF8
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_0561CA901_2_0561CA90
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_05BEA7141_2_05BEA714
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_05BED7C81_2_05BED7C8
            Source: PENDING PAYMENT FOR March SOA.exe, 00000000.00000002.1306205450.0000000003918000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs PENDING PAYMENT FOR March SOA.exe
            Source: PENDING PAYMENT FOR March SOA.exe, 00000000.00000002.1306205450.0000000003918000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs PENDING PAYMENT FOR March SOA.exe
            Source: PENDING PAYMENT FOR March SOA.exe, 00000000.00000002.1309854039.0000000005B60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs PENDING PAYMENT FOR March SOA.exe
            Source: PENDING PAYMENT FOR March SOA.exe, 00000000.00000002.1304661989.0000000002911000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs PENDING PAYMENT FOR March SOA.exe
            Source: PENDING PAYMENT FOR March SOA.exe, 00000000.00000002.1310143655.0000000006F10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs PENDING PAYMENT FOR March SOA.exe
            Source: PENDING PAYMENT FOR March SOA.exe, 00000000.00000002.1303238388.0000000000B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PENDING PAYMENT FOR March SOA.exe
            Source: PENDING PAYMENT FOR March SOA.exe, 00000000.00000000.1291108163.00000000005B2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAlXe.exe0 vs PENDING PAYMENT FOR March SOA.exe
            Source: PENDING PAYMENT FOR March SOA.exe, 00000000.00000002.1304661989.000000000295B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs PENDING PAYMENT FOR March SOA.exe
            Source: PENDING PAYMENT FOR March SOA.exe, 00000000.00000002.1304661989.0000000002969000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs PENDING PAYMENT FOR March SOA.exe
            Source: PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3767859963.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs PENDING PAYMENT FOR March SOA.exe
            Source: PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3768093947.00000000010F7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PENDING PAYMENT FOR March SOA.exe
            Source: PENDING PAYMENT FOR March SOA.exeBinary or memory string: OriginalFilenameAlXe.exe0 vs PENDING PAYMENT FOR March SOA.exe
            Source: PENDING PAYMENT FOR March SOA.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 1.2.PENDING PAYMENT FOR March SOA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 1.2.PENDING PAYMENT FOR March SOA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.PENDING PAYMENT FOR March SOA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 1.2.PENDING PAYMENT FOR March SOA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000001.00000002.3767859963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000001.00000002.3767859963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000000.00000002.1306205450.0000000003918000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000000.00000002.1306205450.0000000003918000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: PENDING PAYMENT FOR March SOA.exe PID: 8368, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: PENDING PAYMENT FOR March SOA.exe PID: 8368, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: PENDING PAYMENT FOR March SOA.exe PID: 8416, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: PENDING PAYMENT FOR March SOA.exe PID: 8416, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: PENDING PAYMENT FOR March SOA.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.raw.unpack, m-.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.raw.unpack, m-.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.raw.unpack, m-.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.raw.unpack, m-.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.raw.unpack, --.csBase64 encoded string: 'JzeJw/b9xm+6S2XbSxm04VLxDXW0s8jprFo3QVj1S6zHgpFf8L4EKsa9LKLu5QP6'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.raw.unpack, --.csBase64 encoded string: 'JzeJw/b9xm+6S2XbSxm04VLxDXW0s8jprFo3QVj1S6zHgpFf8L4EKsa9LKLu5QP6'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3abe230.3.raw.unpack, y6jdN9khquxWsA7Y7t.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3abe230.3.raw.unpack, y6jdN9khquxWsA7Y7t.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.6f10000.6.raw.unpack, MjFNFRLwn216pVmRQU.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.6f10000.6.raw.unpack, MjFNFRLwn216pVmRQU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.6f10000.6.raw.unpack, MjFNFRLwn216pVmRQU.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3abe230.3.raw.unpack, MjFNFRLwn216pVmRQU.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3abe230.3.raw.unpack, MjFNFRLwn216pVmRQU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3abe230.3.raw.unpack, MjFNFRLwn216pVmRQU.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.6f10000.6.raw.unpack, y6jdN9khquxWsA7Y7t.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.6f10000.6.raw.unpack, y6jdN9khquxWsA7Y7t.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PENDING PAYMENT FOR March SOA.exe.logJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeMutant created: NULL
            Source: PENDING PAYMENT FOR March SOA.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: PENDING PAYMENT FOR March SOA.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.0000000003194000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.00000000031C9000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3772660502.0000000003FC4000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.0000000003186000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.00000000031BC000.00000004.00000800.00020000.00000000.sdmp, PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3769862378.0000000003176000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: PENDING PAYMENT FOR March SOA.exeVirustotal: Detection: 46%
            Source: PENDING PAYMENT FOR March SOA.exeReversingLabs: Detection: 28%
            Source: unknownProcess created: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe "C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe"
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess created: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe "C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe"
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess created: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe "C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: iconcodecservice.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: PENDING PAYMENT FOR March SOA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: PENDING PAYMENT FOR March SOA.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: PENDING PAYMENT FOR March SOA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3abe230.3.raw.unpack, MjFNFRLwn216pVmRQU.cs.Net Code: WXjOUNgIrO System.Reflection.Assembly.Load(byte[])
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.6f10000.6.raw.unpack, MjFNFRLwn216pVmRQU.cs.Net Code: WXjOUNgIrO System.Reflection.Assembly.Load(byte[])
            Source: PENDING PAYMENT FOR March SOA.exeStatic PE information: 0xC290923D [Fri Jun 9 17:22:05 2073 UTC]
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 0_2_06FBD318 push ss; iretd 0_2_06FBD31E
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 0_2_06FBBF58 push ss; iretd 0_2_06FBBF62
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_05612840 push esp; retf 1_2_05612AC9
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_05612E78 push esp; iretd 1_2_05612E79
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_05BEA1C0 push ss; iretd 1_2_05BEA1EE
            Source: PENDING PAYMENT FOR March SOA.exeStatic PE information: section name: .text entropy: 7.700121367803606
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3abe230.3.raw.unpack, rRZvRnpEAAKbYV2uU4.csHigh entropy of concatenated method names: 'mGCYVWXT9S', 'vRxYIPIq9g', 'wfitjoBJoo', 'n88tKTv88Y', 'LH6tsEhCvA', 'CgItv0BRJZ', 'HoAtRcNLwi', 'F1ctJHhAYw', 'txNth4xE3P', 'LEFt6ikQWI'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3abe230.3.raw.unpack, BkdaYdAPSgLmgfafAw.csHigh entropy of concatenated method names: 'Dispose', 'L44Hrd1AOo', 'SHbSxFQDEW', 'wjvk9krHct', 'GcEHZKmxRF', 'sr8HzRaKBJ', 'ProcessDialogKey', 'hkCSBYMwKC', 'tnJSHoExKa', 'dcgSSGkBd5'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3abe230.3.raw.unpack, tYMwKCrCnJoExKaOcg.csHigh entropy of concatenated method names: 'Ca4EuAw9KG', 'dvRExGXTJT', 'd8dEjmZx67', 'WApEKBshD1', 'DNTEsmN4v2', 'QCgEv9HNXK', 'oPlERsoj4D', 'CscEJJsTU2', 'gWbEhBMHtl', 'twvE6NjKmJ'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3abe230.3.raw.unpack, VCBSmBzjx6sotXhiZK.csHigh entropy of concatenated method names: 'eYpQDD4WtW', 'ovoQkoZb2w', 'VQXQGkG339', 'wpwQuNkAOQ', 'myVQxRKwfr', 'H8pQKOIL4A', 'O5QQsZuig4', 'FM6Q282J8u', 'f0nQ5FJYNe', 'wKEQ8ojN6B'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3abe230.3.raw.unpack, tKHMAjOsynGQkUrVxy.csHigh entropy of concatenated method names: 'WL8Hy6jdN9', 'NquHLxWsA7', 'dwjH0F16qO', 'dwAHNRWRZv', 'B2uHfU43Yr', 'x3nHgWY5JF', 'H1QwmFZ0yg92pBvchB', 'kiY3I7LKOYu8mmelKK', 'FdTHH5Sa6h', 'pBCHlR4TV6'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3abe230.3.raw.unpack, VhkE3BHHRdqgqbpkM7S.csHigh entropy of concatenated method names: 'nk4QZxugf4', 'tPwQzZIGjF', 'KN8CBfMmSI', 'jJKCHbBfjI', 'KiKCSVQ8gU', 'dJWClUBBVm', 'dFYCOLJxhY', 'C8VCdKVUV7', 'eabCikfkeZ', 'UNJCATNIMr'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3abe230.3.raw.unpack, vO2m2OGwjF16qOlwAR.csHigh entropy of concatenated method names: 'Mp6tTFstkP', 'iQatDeEyMn', 'xUxtk6suar', 'aZLtGoHkFU', 'AOotfFPuxs', 'wlZtgTAnCN', 'daqtPCvJ4M', 'X68tWJLdFn', 'al8tEulg0G', 'yihtQ6ppX8'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3abe230.3.raw.unpack, YBkEcoSR9KJvZUxioc.csHigh entropy of concatenated method names: 'UAiUmXWin', 'wiTTihGsw', 'dd6Dmx2l0', 'JV0I4yCyr', 'WkEGpiMQx', 'NL5p4hQdK', 'nlf5M7QdVhX2uBXwfp', 'tUSj8w3NoFCfO04XWh', 'JN8WCsgAj', 'lqSQrR9ob'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3abe230.3.raw.unpack, EkBd5NZ5HA9YOodv1M.csHigh entropy of concatenated method names: 'K6DQta22Wa', 'VgpQY5aGc8', 'NmlQcrQG0p', 'VEFQyQGB8R', 'SnEQEUwdOc', 'IXtQLjuxV0', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3abe230.3.raw.unpack, eUenJu3fKs2SxhPQUL.csHigh entropy of concatenated method names: 'Ssbak0epOW', 'Sr2aGo8yGC', 'oksau9iF12', 'oJtaxPiM4u', 'GDhaKhFCOQ', 'YTJasMOCoB', 'XHuaRJQoh7', 'gnlaJk2Gb1', 'hHca6PVjnX', 'N8Ha9IKg4s'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3abe230.3.raw.unpack, equwXfbxaYafKFOLWD.csHigh entropy of concatenated method names: 'ucGP08tMFp', 'p1kPNmWad2', 'ToString', 'llKPi5xtXZ', 'TIJPARxg6D', 'IduPtpMxQN', 'bBsPY1LaAY', 'ny6PcbxFxd', 'Xq3PyQ0Pnh', 'bi9PLPWMgx'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3abe230.3.raw.unpack, SB2vxHhlubJZQOPVqk.csHigh entropy of concatenated method names: 'xN3y51wSfy', 'R2Vy8R04Ik', 'LMYyUpI3UE', 'AuoyTTM1wJ', 'rP8yV3cF03', 'tyOyDsBv0X', 'ebbyIlCpaK', 'VA9yk6BEXp', 'fKEyGN7s6X', 'aPtypcB0cg'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3abe230.3.raw.unpack, MjFNFRLwn216pVmRQU.csHigh entropy of concatenated method names: 'bhEld3Wkki', 'qrVligUSoK', 'rfIlAvGqTC', 'Yoiltxf2RR', 't6ZlY4MqtV', 'PBYlcPppuE', 'Hd0lyqKgOa', 'P7alLhTwc0', 'cb2lMiccZS', 'PUbl0pW0y2'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3abe230.3.raw.unpack, cuyXnZHOS3He6ShOuL0.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PHsmESg86w', 'ljcmQlJSBc', 'XQVmCm4T4U', 'ELsmmkAVJh', 'DlEmFwQ0fr', 'Kmkm4hBUsA', 'B24m2nEj3c'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3abe230.3.raw.unpack, hg97GhoQELAoitEVWl.csHigh entropy of concatenated method names: 'm5EP1130CG', 'p0APZLI2E5', 'MKBWB0WcTF', 'tXSWHYNKUu', 'K3RP92pr8A', 'BM8PeJTsCt', 'chBP3EApZ2', 'EpQPq0IljP', 'U4rPXKSRVu', 'WgUPnZrfrc'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3abe230.3.raw.unpack, PYr53nuWY5JFGNW05J.csHigh entropy of concatenated method names: 'y5LcdgFQwG', 'WEfcAu3ZuN', 'z0kcY5RPps', 'pHxcywc4cn', 'VNxcLCJ5YL', 'O42YwL5p1U', 'Fm4Yoxagrw', 'couY7q6Pl4', 'VUsY1lcgDR', 'R47YrP0CSB'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3abe230.3.raw.unpack, Pcd2Ht712R44d1AOox.csHigh entropy of concatenated method names: 'KJqEfv5irD', 'k2CEP773OB', 'xULEEuK4V0', 'u0cECy2Hyy', 'Uh2EFcvueg', 'odfE2RIPS0', 'Dispose', 'x1UWiQRI6Z', 'H26WALW5jO', 'BLuWt7bMUA'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3abe230.3.raw.unpack, GeErhVKm4C8fKaQokN.csHigh entropy of concatenated method names: 'rqCc2WfTA3', 'JQEc5sMrCJ', 'sUfcUAWb53', 'NdDcT0sPyX', 'V0ecDqWoRu', 'VbEcIGTHMi', 'FQQcGvm816', 'tkgcpgSw4L', 'P4hF8FhRS8nDgMrr6au', 'GPCsYWhj9tHblNscUR5'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3abe230.3.raw.unpack, y6jdN9khquxWsA7Y7t.csHigh entropy of concatenated method names: 'bDCAqkaYTL', 'hUeAXkqVfx', 'IWFAndWxG4', 'tsSAbSHeKu', 'Dg9AwUiOu4', 'qk4Aoa8SYd', 'wZyA7yTTfj', 'zD4A1qckCj', 'H8gArT5XKp', 'bSNAZJs1A0'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.3abe230.3.raw.unpack, CsDWCkHBsNvmpNO9tWC.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SJkQ9cs3KK', 'PcbQevvTSC', 'QcYQ31LfEY', 'EfCQqCeuR8', 'GE1QX5exbs', 'RHsQnSOFiU', 'jIRQbGBPD7'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.6f10000.6.raw.unpack, rRZvRnpEAAKbYV2uU4.csHigh entropy of concatenated method names: 'mGCYVWXT9S', 'vRxYIPIq9g', 'wfitjoBJoo', 'n88tKTv88Y', 'LH6tsEhCvA', 'CgItv0BRJZ', 'HoAtRcNLwi', 'F1ctJHhAYw', 'txNth4xE3P', 'LEFt6ikQWI'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.6f10000.6.raw.unpack, BkdaYdAPSgLmgfafAw.csHigh entropy of concatenated method names: 'Dispose', 'L44Hrd1AOo', 'SHbSxFQDEW', 'wjvk9krHct', 'GcEHZKmxRF', 'sr8HzRaKBJ', 'ProcessDialogKey', 'hkCSBYMwKC', 'tnJSHoExKa', 'dcgSSGkBd5'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.6f10000.6.raw.unpack, tYMwKCrCnJoExKaOcg.csHigh entropy of concatenated method names: 'Ca4EuAw9KG', 'dvRExGXTJT', 'd8dEjmZx67', 'WApEKBshD1', 'DNTEsmN4v2', 'QCgEv9HNXK', 'oPlERsoj4D', 'CscEJJsTU2', 'gWbEhBMHtl', 'twvE6NjKmJ'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.6f10000.6.raw.unpack, VCBSmBzjx6sotXhiZK.csHigh entropy of concatenated method names: 'eYpQDD4WtW', 'ovoQkoZb2w', 'VQXQGkG339', 'wpwQuNkAOQ', 'myVQxRKwfr', 'H8pQKOIL4A', 'O5QQsZuig4', 'FM6Q282J8u', 'f0nQ5FJYNe', 'wKEQ8ojN6B'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.6f10000.6.raw.unpack, tKHMAjOsynGQkUrVxy.csHigh entropy of concatenated method names: 'WL8Hy6jdN9', 'NquHLxWsA7', 'dwjH0F16qO', 'dwAHNRWRZv', 'B2uHfU43Yr', 'x3nHgWY5JF', 'H1QwmFZ0yg92pBvchB', 'kiY3I7LKOYu8mmelKK', 'FdTHH5Sa6h', 'pBCHlR4TV6'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.6f10000.6.raw.unpack, VhkE3BHHRdqgqbpkM7S.csHigh entropy of concatenated method names: 'nk4QZxugf4', 'tPwQzZIGjF', 'KN8CBfMmSI', 'jJKCHbBfjI', 'KiKCSVQ8gU', 'dJWClUBBVm', 'dFYCOLJxhY', 'C8VCdKVUV7', 'eabCikfkeZ', 'UNJCATNIMr'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.6f10000.6.raw.unpack, vO2m2OGwjF16qOlwAR.csHigh entropy of concatenated method names: 'Mp6tTFstkP', 'iQatDeEyMn', 'xUxtk6suar', 'aZLtGoHkFU', 'AOotfFPuxs', 'wlZtgTAnCN', 'daqtPCvJ4M', 'X68tWJLdFn', 'al8tEulg0G', 'yihtQ6ppX8'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.6f10000.6.raw.unpack, YBkEcoSR9KJvZUxioc.csHigh entropy of concatenated method names: 'UAiUmXWin', 'wiTTihGsw', 'dd6Dmx2l0', 'JV0I4yCyr', 'WkEGpiMQx', 'NL5p4hQdK', 'nlf5M7QdVhX2uBXwfp', 'tUSj8w3NoFCfO04XWh', 'JN8WCsgAj', 'lqSQrR9ob'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.6f10000.6.raw.unpack, EkBd5NZ5HA9YOodv1M.csHigh entropy of concatenated method names: 'K6DQta22Wa', 'VgpQY5aGc8', 'NmlQcrQG0p', 'VEFQyQGB8R', 'SnEQEUwdOc', 'IXtQLjuxV0', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.6f10000.6.raw.unpack, eUenJu3fKs2SxhPQUL.csHigh entropy of concatenated method names: 'Ssbak0epOW', 'Sr2aGo8yGC', 'oksau9iF12', 'oJtaxPiM4u', 'GDhaKhFCOQ', 'YTJasMOCoB', 'XHuaRJQoh7', 'gnlaJk2Gb1', 'hHca6PVjnX', 'N8Ha9IKg4s'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.6f10000.6.raw.unpack, equwXfbxaYafKFOLWD.csHigh entropy of concatenated method names: 'ucGP08tMFp', 'p1kPNmWad2', 'ToString', 'llKPi5xtXZ', 'TIJPARxg6D', 'IduPtpMxQN', 'bBsPY1LaAY', 'ny6PcbxFxd', 'Xq3PyQ0Pnh', 'bi9PLPWMgx'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.6f10000.6.raw.unpack, SB2vxHhlubJZQOPVqk.csHigh entropy of concatenated method names: 'xN3y51wSfy', 'R2Vy8R04Ik', 'LMYyUpI3UE', 'AuoyTTM1wJ', 'rP8yV3cF03', 'tyOyDsBv0X', 'ebbyIlCpaK', 'VA9yk6BEXp', 'fKEyGN7s6X', 'aPtypcB0cg'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.6f10000.6.raw.unpack, MjFNFRLwn216pVmRQU.csHigh entropy of concatenated method names: 'bhEld3Wkki', 'qrVligUSoK', 'rfIlAvGqTC', 'Yoiltxf2RR', 't6ZlY4MqtV', 'PBYlcPppuE', 'Hd0lyqKgOa', 'P7alLhTwc0', 'cb2lMiccZS', 'PUbl0pW0y2'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.6f10000.6.raw.unpack, cuyXnZHOS3He6ShOuL0.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PHsmESg86w', 'ljcmQlJSBc', 'XQVmCm4T4U', 'ELsmmkAVJh', 'DlEmFwQ0fr', 'Kmkm4hBUsA', 'B24m2nEj3c'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.6f10000.6.raw.unpack, hg97GhoQELAoitEVWl.csHigh entropy of concatenated method names: 'm5EP1130CG', 'p0APZLI2E5', 'MKBWB0WcTF', 'tXSWHYNKUu', 'K3RP92pr8A', 'BM8PeJTsCt', 'chBP3EApZ2', 'EpQPq0IljP', 'U4rPXKSRVu', 'WgUPnZrfrc'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.6f10000.6.raw.unpack, PYr53nuWY5JFGNW05J.csHigh entropy of concatenated method names: 'y5LcdgFQwG', 'WEfcAu3ZuN', 'z0kcY5RPps', 'pHxcywc4cn', 'VNxcLCJ5YL', 'O42YwL5p1U', 'Fm4Yoxagrw', 'couY7q6Pl4', 'VUsY1lcgDR', 'R47YrP0CSB'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.6f10000.6.raw.unpack, Pcd2Ht712R44d1AOox.csHigh entropy of concatenated method names: 'KJqEfv5irD', 'k2CEP773OB', 'xULEEuK4V0', 'u0cECy2Hyy', 'Uh2EFcvueg', 'odfE2RIPS0', 'Dispose', 'x1UWiQRI6Z', 'H26WALW5jO', 'BLuWt7bMUA'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.6f10000.6.raw.unpack, GeErhVKm4C8fKaQokN.csHigh entropy of concatenated method names: 'rqCc2WfTA3', 'JQEc5sMrCJ', 'sUfcUAWb53', 'NdDcT0sPyX', 'V0ecDqWoRu', 'VbEcIGTHMi', 'FQQcGvm816', 'tkgcpgSw4L', 'P4hF8FhRS8nDgMrr6au', 'GPCsYWhj9tHblNscUR5'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.6f10000.6.raw.unpack, y6jdN9khquxWsA7Y7t.csHigh entropy of concatenated method names: 'bDCAqkaYTL', 'hUeAXkqVfx', 'IWFAndWxG4', 'tsSAbSHeKu', 'Dg9AwUiOu4', 'qk4Aoa8SYd', 'wZyA7yTTfj', 'zD4A1qckCj', 'H8gArT5XKp', 'bSNAZJs1A0'
            Source: 0.2.PENDING PAYMENT FOR March SOA.exe.6f10000.6.raw.unpack, CsDWCkHBsNvmpNO9tWC.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SJkQ9cs3KK', 'PcbQevvTSC', 'QcYQ31LfEY', 'EfCQqCeuR8', 'GE1QX5exbs', 'RHsQnSOFiU', 'jIRQbGBPD7'
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: PENDING PAYMENT FOR March SOA.exe PID: 8368, type: MEMORYSTR
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeMemory allocated: FD0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeMemory allocated: 2910000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeMemory allocated: 4910000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeMemory allocated: 8F10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeMemory allocated: 9F10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeMemory allocated: A130000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeMemory allocated: B130000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeMemory allocated: 1400000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeMemory allocated: 2F30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeMemory allocated: 2E60000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 599875Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 599766Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 599657Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 599532Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 599407Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 599282Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 599157Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 599032Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 598922Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 598813Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 598688Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 598563Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 598438Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 598313Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 598203Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 598094Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 597969Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 597860Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 597735Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 597610Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 597485Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 597360Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 597235Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 597110Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 596985Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 596860Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 596735Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 596610Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 596485Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 596360Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 596235Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 596110Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 595985Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 595860Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 595735Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 595610Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 595485Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 595360Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 595235Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 595110Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 594985Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 594860Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 594735Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 594610Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 594485Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 594360Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 594235Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 594110Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 593985Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeWindow / User API: threadDelayed 1786Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeWindow / User API: threadDelayed 8030Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8372Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8388Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep count: 34 > 30Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -31359464925306218s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -599875s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8516Thread sleep count: 1786 > 30Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8516Thread sleep count: 8030 > 30Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -599766s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -599657s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep count: 39 > 30Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -599532s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -599407s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -599282s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -599157s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -599032s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -598922s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -598813s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -598688s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -598563s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -598438s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -598313s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -598203s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -598094s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -597969s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -597860s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -597735s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -597610s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -597485s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -597360s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -597235s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -597110s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -596985s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -596860s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -596735s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -596610s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -596485s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -596360s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -596235s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -596110s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -595985s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -595860s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -595735s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -595610s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -595485s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -595360s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -595235s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -595110s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -594985s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -594860s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -594735s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -594610s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -594485s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -594360s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -594235s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -594110s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe TID: 8512Thread sleep time: -593985s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 30000Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 599875Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 599766Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 599657Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 599532Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 599407Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 599282Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 599157Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 599032Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 598922Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 598813Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 598688Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 598563Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 598438Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 598313Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 598203Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 598094Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 597969Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 597860Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 597735Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 597610Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 597485Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 597360Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 597235Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 597110Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 596985Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 596860Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 596735Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 596610Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 596485Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 596360Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 596235Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 596110Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 595985Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 595860Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 595735Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 595610Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 595485Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 595360Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 595235Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 595110Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 594985Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 594860Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 594735Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 594610Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 594485Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 594360Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 594235Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 594110Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeThread delayed: delay time: 593985Jump to behavior
            Source: PENDING PAYMENT FOR March SOA.exe, 00000001.00000002.3768826144.0000000001446000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeCode function: 1_2_05617D90 LdrInitializeThunk,1_2_05617D90
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeMemory written: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeProcess created: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe "C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeQueries volume information: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeQueries volume information: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.PENDING PAYMENT FOR March SOA.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.3767859963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.3769862378.0000000003105000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1306205450.0000000003918000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.3769862378.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: PENDING PAYMENT FOR March SOA.exe PID: 8368, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: PENDING PAYMENT FOR March SOA.exe PID: 8416, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
            Source: C:\Users\user\Desktop\PENDING PAYMENT FOR March SOA.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: Yara matchFile source: 0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.PENDING PAYMENT FOR March SOA.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.3767859963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1306205450.0000000003918000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: PENDING PAYMENT FOR March SOA.exe PID: 8368, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: PENDING PAYMENT FOR March SOA.exe PID: 8416, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.PENDING PAYMENT FOR March SOA.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.PENDING PAYMENT FOR March SOA.exe.39a77c8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.PENDING PAYMENT FOR March SOA.exe.3986da8.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.3767859963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.3769862378.0000000003105000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1306205450.0000000003918000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.3769862378.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: PENDING PAYMENT FOR March SOA.exe PID: 8368, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: PENDING PAYMENT FOR March SOA.exe PID: 8416, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		111
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		1
            Security Software Discovery            		Remote Services1
            Email Collection            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop Protocol11
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
            Virtualization/Sandbox Evasion            		Security Account Manager31
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Data from Local System            		2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            System Network Configuration Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
            Obfuscated Files or Information            		Cached Domain Credentials13
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Timestomp            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            DLL Side-Loading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.