Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SOA FEB 2025.exe

Overview

General Information

Sample name:SOA FEB 2025.exe
Analysis ID:1638434
MD5:ed5fe07a29c69e6bf26e20460cbdfcaf
SHA1:12305dca957f7bb07e9ec1c6e6c7229ad50d1275
SHA256:90bbf74c53f21c5eb3102a1851b413bb19a80bb76f461efc2f9c5c3d96f1b93b
Tags:exeuser-threatcat_ch
Infos:

Detection

MSIL Logger, MassLogger RAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected MSIL Logger
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code references suspicious native API functions
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SOA FEB 2025.exe (PID: 6212 cmdline: "C:\Users\user\Desktop\SOA FEB 2025.exe" MD5: ED5FE07A29C69E6BF26E20460CBDFCAF)
    • RegSvcs.exe (PID: 6620 cmdline: "C:\Users\user\Desktop\SOA FEB 2025.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7563833743:AAGqp8ZlKOECgMPhdAq5I6-k3SMLKGbXjjY", "Telegram Chatid": "6403200178"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1107321237.0000000003CF0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000000.00000002.1107321237.0000000003CF0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.1107321237.0000000003CF0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
        00000000.00000002.1107321237.0000000003CF0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000000.00000002.1107321237.0000000003CF0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0xf06f:$a1: get_encryptedPassword
          • 0xf397:$a2: get_encryptedUsername
          • 0xee0a:$a3: get_timePasswordChanged
          • 0xef2b:$a4: get_passwordField
          • 0xf085:$a5: set_encryptedPassword
          • 0x109d6:$a7: get_logins
          • 0x10687:$a8: GetOutlookPasswords
          • 0x10479:$a9: StartKeylogger
          • 0x10926:$a10: KeyLoggerEventArgs
          • 0x104d6:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 17 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.SOA FEB 2025.exe.3cf0000.1.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            0.2.SOA FEB 2025.exe.3cf0000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.SOA FEB 2025.exe.3cf0000.1.unpackJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
                0.2.SOA FEB 2025.exe.3cf0000.1.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  0.2.SOA FEB 2025.exe.3cf0000.1.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0xd26f:$a1: get_encryptedPassword
                  • 0xd597:$a2: get_encryptedUsername
                  • 0xd00a:$a3: get_timePasswordChanged
                  • 0xd12b:$a4: get_passwordField
                  • 0xd285:$a5: set_encryptedPassword
                  • 0xebd6:$a7: get_logins
                  • 0xe887:$a8: GetOutlookPasswords
                  • 0xe679:$a9: StartKeylogger
                  • 0xeb26:$a10: KeyLoggerEventArgs
                  • 0xe6d6:$a11: KeyLoggerEventArgsEventHandler
                  Click to see the 13 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-14T11:55:29.930202+010028032742Potentially Bad Traffic192.168.2.1149706132.226.247.7380TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: SOA FEB 2025.exeAvira: detected
                  Found malware configuration
                  Source: 00000002.00000002.2359971170.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7563833743:AAGqp8ZlKOECgMPhdAq5I6-k3SMLKGbXjjY", "Telegram Chatid": "6403200178"}
                  Multi AV Scanner detection for submitted file
                  Source: SOA FEB 2025.exeVirustotal: Detection: 43%Perma Link
                  Source: SOA FEB 2025.exeReversingLabs: Detection: 55%
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: SOA FEB 2025.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.11:49707 version: TLS 1.0
                  Source: Binary string: wntdll.pdbUGP source: SOA FEB 2025.exe, 00000000.00000003.1105591631.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, SOA FEB 2025.exe, 00000000.00000003.1105052259.0000000003D30000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: SOA FEB 2025.exe, 00000000.00000003.1105591631.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, SOA FEB 2025.exe, 00000000.00000003.1105052259.0000000003D30000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0047445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0047445A
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0047C6D1 FindFirstFileW,FindClose,0_2_0047C6D1
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0047C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0047C75C
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0047EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0047EF95
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0047F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0047F0F2
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0047F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0047F3F3
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004737EF
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00473B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00473B12
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0047BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0047BCBC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00F15782h2_2_00F15366
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00F151B9h2_2_00F14F08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00F15782h2_2_00F156AF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FF1935h2_2_05FF15F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFD088h2_2_05FFCDE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFF028h2_2_05FFED80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FF0FF1h2_2_05FF0D48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFC7D8h2_2_05FFC530
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFE778h2_2_05FFE4D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFA0C0h2_2_05FF9CA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FF0741h2_2_05FF0498
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFBF28h2_2_05FFBC80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FF3EF8h2_2_05FF3C50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFDEC8h2_2_05FFDC20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FF3AA0h2_2_05FF37F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFB220h2_2_05FFAF78
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FF31F0h2_2_05FF2F48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFA970h2_2_05FFA6C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFD93Ah2_2_05FFD690
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFF8D8h2_2_05FFF630
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFF480h2_2_05FFF1D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FF1449h2_2_05FF11A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFCC30h2_2_05FFC988
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFEBD0h2_2_05FFE928
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FF0B99h2_2_05FF08F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFC380h2_2_05FFC0D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FF4350h2_2_05FF40A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFE320h2_2_05FFE078
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FF02E9h2_2_05FF0040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFBAD0h2_2_05FFB828
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFB678h2_2_05FFB3D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FF3648h2_2_05FF33A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFADC8h2_2_05FFAB20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FF2D98h2_2_05FF2AF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFFD30h2_2_05FFFA88
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFA518h2_2_05FFA270
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FFD4E0h2_2_05FFD238
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                  Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                  Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49706 -> 132.226.247.73:80
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.11:49707 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004822EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_004822EE
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: RegSvcs.exe, 00000002.00000002.2359971170.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: RegSvcs.exe, 00000002.00000002.2359971170.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com0
                  Source: RegSvcs.exe, 00000002.00000002.2359971170.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                  Source: RegSvcs.exe, 00000002.00000002.2359971170.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2359971170.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: RegSvcs.exe, 00000002.00000002.2359971170.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: RegSvcs.exe, 00000002.00000002.2359971170.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                  Source: SOA FEB 2025.exe, 00000000.00000002.1107321237.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2358237433.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: RegSvcs.exe, 00000002.00000002.2359971170.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                  Source: RegSvcs.exe, 00000002.00000002.2359971170.0000000002B4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                  Source: RegSvcs.exe, 00000002.00000002.2359971170.0000000002B4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                  Source: RegSvcs.exe, 00000002.00000002.2359971170.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: SOA FEB 2025.exe, 00000000.00000002.1107321237.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2358237433.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                  Source: RegSvcs.exe, 00000002.00000002.2359971170.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: SOA FEB 2025.exe, 00000000.00000002.1107321237.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2358237433.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2359971170.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: RegSvcs.exe, 00000002.00000002.2359971170.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                  Source: RegSvcs.exe, 00000002.00000002.2359971170.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.SOA FEB 2025.exe.3cf0000.1.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00484164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00484164
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00484164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00484164
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00483F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00483F66
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0047001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0047001C
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0049CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0049CABC

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.SOA FEB 2025.exe.3cf0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.SOA FEB 2025.exe.3cf0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.SOA FEB 2025.exe.3cf0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.SOA FEB 2025.exe.3cf0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000000.00000002.1107321237.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.1107321237.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000002.00000002.2358237433.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: SOA FEB 2025.exe PID: 6212, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: RegSvcs.exe PID: 6620, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Binary is likely a compiled AutoIt script file
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: This is a third-party compiled AutoIt script.0_2_00413B3A
                  Source: SOA FEB 2025.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: SOA FEB 2025.exe, 00000000.00000002.1106307994.00000000004C4000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_c0754d0f-f
                  Source: SOA FEB 2025.exe, 00000000.00000002.1106307994.00000000004C4000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_96f35107-7
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00413633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_00413633
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0049C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_0049C1AC
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0049C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_0049C498
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0049C57D SendMessageW,NtdllDialogWndProc_W,0_2_0049C57D
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0049C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_0049C5FE
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0049C860 NtdllDialogWndProc_W,0_2_0049C860
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0049C88F NtdllDialogWndProc_W,0_2_0049C88F
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0049C8BE NtdllDialogWndProc_W,0_2_0049C8BE
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0049C909 NtdllDialogWndProc_W,0_2_0049C909
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0049C93E ClientToScreen,NtdllDialogWndProc_W,0_2_0049C93E
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0049CA7C GetWindowLongW,NtdllDialogWndProc_W,0_2_0049CA7C
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0049CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0049CABC
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00411287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74ADC8D0,NtdllDialogWndProc_W,0_2_00411287
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00411290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,0_2_00411290
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0049D3B8 NtdllDialogWndProc_W,0_2_0049D3B8
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0049D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,0_2_0049D43E
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0041167D NtdllDialogWndProc_W,0_2_0041167D
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004116DE GetParent,NtdllDialogWndProc_W,0_2_004116DE
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004116B5 NtdllDialogWndProc_W,0_2_004116B5
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0049D78C NtdllDialogWndProc_W,0_2_0049D78C
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0041189B NtdllDialogWndProc_W,0_2_0041189B
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0049BC5D NtdllDialogWndProc_W,CallWindowProcW,0_2_0049BC5D
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0049BF30 NtdllDialogWndProc_W,0_2_0049BF30
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0049BF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_0049BF8C
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0047A1FC: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0047A1FC
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00468310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74C45590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,0_2_00468310
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004751BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_004751BD
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0043D9750_2_0043D975
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004321C50_2_004321C5
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004462D20_2_004462D2
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004903DA0_2_004903DA
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0044242E0_2_0044242E
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004325FA0_2_004325FA
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0046E6160_2_0046E616
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004266E10_2_004266E1
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0041E6A00_2_0041E6A0
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0044878F0_2_0044878F
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004468440_2_00446844
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004908570_2_00490857
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004288080_2_00428808
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004788890_2_00478889
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0043CB210_2_0043CB21
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00446DB60_2_00446DB6
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00426F9E0_2_00426F9E
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004230300_2_00423030
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0043F1D90_2_0043F1D9
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004331870_2_00433187
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004112870_2_00411287
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004314840_2_00431484
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004255200_2_00425520
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004376960_2_00437696
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004257600_2_00425760
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004319780_2_00431978
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00449AB50_2_00449AB5
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0041FCE00_2_0041FCE0
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00497DDB0_2_00497DDB
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00431D900_2_00431D90
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0043BDA60_2_0043BDA6
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0041DF000_2_0041DF00
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00423FE00_2_00423FE0
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_01340D280_2_01340D28
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00F1C1682_2_00F1C168
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00F1CAB02_2_00F1CAB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00F12DD12_2_00F12DD1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00F17E682_2_00F17E68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00F14F082_2_00F14F08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00F1C3862_2_00F1C386
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00F1B5832_2_00F1B583
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00F1B50B2_2_00F1B50B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00F1B9E02_2_00F1B9E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00F1B9D02_2_00F1B9D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00F1CAAE2_2_00F1CAAE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00F14EF82_2_00F14EF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00F17E592_2_00F17E59
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF15F82_2_05FF15F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF45002_2_05FF4500
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF1C582_2_05FF1C58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF77802_2_05FF7780
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF6A202_2_05FF6A20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF15EA2_2_05FF15EA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFCDE02_2_05FFCDE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFCDD02_2_05FFCDD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFED802_2_05FFED80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFED702_2_05FFED70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF0D482_2_05FF0D48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF0D392_2_05FF0D39
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFC5302_2_05FFC530
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFC5202_2_05FFC520
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFE4D02_2_05FFE4D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFE4C02_2_05FFE4C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF9CA02_2_05FF9CA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF04982_2_05FF0498
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF04892_2_05FF0489
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFBC802_2_05FFBC80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFBC712_2_05FFBC71
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF3C502_2_05FF3C50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF1C492_2_05FF1C49
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF3C432_2_05FF3C43
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFDC202_2_05FFDC20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFDC132_2_05FFDC13
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF37F82_2_05FF37F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF37E82_2_05FF37E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFAF782_2_05FFAF78
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFAF682_2_05FFAF68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF2F482_2_05FF2F48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF2F382_2_05FF2F38
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFA6C82_2_05FFA6C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFA6B92_2_05FFA6B9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFD6902_2_05FFD690
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFD6832_2_05FFD683
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFF6302_2_05FFF630
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFF6202_2_05FFF620
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFF1D82_2_05FFF1D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFF1C82_2_05FFF1C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF11A02_2_05FF11A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF118F2_2_05FF118F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFC9882_2_05FFC988
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFC97B2_2_05FFC97B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFE9282_2_05FFE928
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFE9182_2_05FFE918
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF08F02_2_05FF08F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF08DF2_2_05FF08DF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFC0D82_2_05FFC0D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFC0CB2_2_05FFC0CB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF40A82_2_05FF40A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF40982_2_05FF4098
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFE0782_2_05FFE078
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFE0682_2_05FFE068
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF00402_2_05FF0040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFB8282_2_05FFB828
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF001F2_2_05FF001F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFB8182_2_05FFB818
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFB3D02_2_05FFB3D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFB3C12_2_05FFB3C1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF33A02_2_05FF33A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF33932_2_05FF3393
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFAB202_2_05FFAB20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFAB102_2_05FFAB10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF2AF02_2_05FF2AF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FF2AE02_2_05FF2AE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFFA882_2_05FFFA88
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFFA782_2_05FFFA78
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFA2702_2_05FFA270
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFA2612_2_05FFA261
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFD2382_2_05FFD238
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05FFD22B2_2_05FFD22B
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: String function: 00430AE3 appears 70 times
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: String function: 00438900 appears 42 times
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: String function: 00417DE1 appears 36 times
                  Source: SOA FEB 2025.exe, 00000000.00000003.1104306236.0000000003E33000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SOA FEB 2025.exe
                  Source: SOA FEB 2025.exe, 00000000.00000003.1106102187.0000000003FFD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SOA FEB 2025.exe
                  Source: SOA FEB 2025.exe, 00000000.00000002.1107321237.0000000003CF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs SOA FEB 2025.exe
                  Source: SOA FEB 2025.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 0.2.SOA FEB 2025.exe.3cf0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.SOA FEB 2025.exe.3cf0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.SOA FEB 2025.exe.3cf0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.SOA FEB 2025.exe.3cf0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000000.00000002.1107321237.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.1107321237.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000002.00000002.2358237433.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: SOA FEB 2025.exe PID: 6212, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: RegSvcs.exe PID: 6620, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.SOA FEB 2025.exe.3cf0000.1.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.SOA FEB 2025.exe.3cf0000.1.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@2/2
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0047A06A GetLastError,FormatMessageW,0_2_0047A06A
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004681CB AdjustTokenPrivileges,CloseHandle,0_2_004681CB
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004687E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_004687E1
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0047B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0047B333
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0048EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0048EE0D
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0047C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0047C397
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00414E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00414E89
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeFile created: C:\Users\user\AppData\Local\Temp\aut9835.tmpJump to behavior
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: RegSvcs.exe, 00000002.00000002.2359971170.0000000002BC3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2359971170.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2360751404.0000000003ADD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2359971170.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2359971170.0000000002BA0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2359971170.0000000002BCF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: SOA FEB 2025.exeVirustotal: Detection: 43%
                  Source: SOA FEB 2025.exeReversingLabs: Detection: 55%
                  Source: unknownProcess created: C:\Users\user\Desktop\SOA FEB 2025.exe "C:\Users\user\Desktop\SOA FEB 2025.exe"
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\SOA FEB 2025.exe"
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\SOA FEB 2025.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Binary string: wntdll.pdbUGP source: SOA FEB 2025.exe, 00000000.00000003.1105591631.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, SOA FEB 2025.exe, 00000000.00000003.1105052259.0000000003D30000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: SOA FEB 2025.exe, 00000000.00000003.1105591631.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, SOA FEB 2025.exe, 00000000.00000003.1105052259.0000000003D30000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00414B37 LoadLibraryA,GetProcAddress,0_2_00414B37
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0041C4C6 push A30041BAh; retn 0041h0_2_0041C50D
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00438945 push ecx; ret 0_2_00438958
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00412F12 push es; retf 0_2_00412F13
                  Source: initial sampleStatic PE information: section name: UPX0
                  Source: initial sampleStatic PE information: section name: UPX1
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004148D7
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00495376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00495376
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00433187 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00433187
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeAPI/Special instruction interceptor: Address: 134094C
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeAPI coverage: 4.4 %
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0047445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0047445A
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0047C6D1 FindFirstFileW,FindClose,0_2_0047C6D1
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0047C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0047C75C
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0047EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0047EF95
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0047F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0047F0F2
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0047F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0047F3F3
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004737EF
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00473B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00473B12
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0047BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0047BCBC
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004149A0
                  Source: RegSvcs.exe, 00000002.00000002.2359082838.0000000000D88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00F1C168 LdrInitializeThunk,LdrInitializeThunk,2_2_00F1C168
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00483F09 BlockInput,0_2_00483F09
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00413B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00413B3A
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00445A7C RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,0_2_00445A7C
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00414B37 LoadLibraryA,GetProcAddress,0_2_00414B37
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0133F5C8 mov eax, dword ptr fs:[00000030h]0_2_0133F5C8
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_01340BB8 mov eax, dword ptr fs:[00000030h]0_2_01340BB8
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_01340C18 mov eax, dword ptr fs:[00000030h]0_2_01340C18
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004680A9 GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,0_2_004680A9
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0043A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A155
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0043A124 SetUnhandledExceptionFilter,0_2_0043A124
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: 0.2.SOA FEB 2025.exe.3cf0000.1.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                  Source: 0.2.SOA FEB 2025.exe.3cf0000.1.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                  Source: 0.2.SOA FEB 2025.exe.3cf0000.1.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 817008Jump to behavior
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004687B1 LogonUserW,0_2_004687B1
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00413B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00413B3A
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004148D7
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00474C53 mouse_event,0_2_00474C53
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\SOA FEB 2025.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00467CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00467CAF
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0046874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0046874B
                  Source: SOA FEB 2025.exe, 00000000.00000002.1106307994.00000000004C4000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: SOA FEB 2025.exeBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0043862B cpuid 0_2_0043862B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_0043520A GetSystemTimeAsFileTime,__aulldiv,0_2_0043520A
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00451E06 GetUserNameW,0_2_00451E06
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00443F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00443F3A
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_004149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004149A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected MSIL Logger
                  Source: Yara matchFile source: 0.2.SOA FEB 2025.exe.3cf0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SOA FEB 2025.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1107321237.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2358237433.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SOA FEB 2025.exe PID: 6212, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6620, type: MEMORYSTR
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 0.2.SOA FEB 2025.exe.3cf0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SOA FEB 2025.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1107321237.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2358237433.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SOA FEB 2025.exe PID: 6212, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6620, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 0.2.SOA FEB 2025.exe.3cf0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SOA FEB 2025.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1107321237.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2358237433.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SOA FEB 2025.exe PID: 6212, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6620, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: SOA FEB 2025.exeBinary or memory string: WIN_81
                  Source: SOA FEB 2025.exeBinary or memory string: WIN_XP
                  Source: SOA FEB 2025.exeBinary or memory string: WIN_XPe
                  Source: SOA FEB 2025.exeBinary or memory string: WIN_VISTA
                  Source: SOA FEB 2025.exeBinary or memory string: WIN_7
                  Source: SOA FEB 2025.exeBinary or memory string: WIN_8
                  Source: SOA FEB 2025.exe, 00000000.00000002.1106307994.00000000004C4000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                  Source: Yara matchFile source: 0.2.SOA FEB 2025.exe.3cf0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SOA FEB 2025.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1107321237.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2358237433.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2359971170.0000000002C0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SOA FEB 2025.exe PID: 6212, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6620, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected MSIL Logger
                  Source: Yara matchFile source: 0.2.SOA FEB 2025.exe.3cf0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SOA FEB 2025.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1107321237.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2358237433.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SOA FEB 2025.exe PID: 6212, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6620, type: MEMORYSTR
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 0.2.SOA FEB 2025.exe.3cf0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SOA FEB 2025.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1107321237.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2358237433.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SOA FEB 2025.exe PID: 6212, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6620, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 0.2.SOA FEB 2025.exe.3cf0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SOA FEB 2025.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1107321237.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2358237433.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SOA FEB 2025.exe PID: 6212, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6620, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00486283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00486283
                  Source: C:\Users\user\Desktop\SOA FEB 2025.exeCode function: 0_2_00486747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00486747

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure2
                  Valid Accounts                  		11
                  Native API                  		1
                  DLL Side-Loading                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		2
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault AccountsScheduled Task/Job2
                  Valid Accounts                  		1
                  DLL Side-Loading                  		11
                  Deobfuscate/Decode Files or Information                  		121
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                  Valid Accounts                  		31
                  Obfuscated Files or Information                  		Security Account Manager1
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                  Access Token Manipulation                  		1
                  Software Packing                  		NTDS127
                  System Information Discovery                  		Distributed Component Object Model121
                  Input Capture                  		13
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection                  		1
                  DLL Side-Loading                  		LSA Secrets131
                  Security Software Discovery                  		SSH3
                  Clipboard Data                  		Fallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                  Valid Accounts                  		Cached Domain Credentials2
                  Process Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                  Access Token Manipulation                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
                  Process Injection                  		Proc Filesystem1
                  System Owner/User Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                  System Network Configuration Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  SOA FEB 2025.exe44%VirustotalBrowse
                  SOA FEB 2025.exe55%ReversingLabsWin32.Trojan.AutoitInject
                  SOA FEB 2025.exe100%AviraTR/AD.SnakeStealer.vbhyx

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://checkip.dyndns.com00%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  reallyfreegeoip.org
                  		104.21.16.1
                  		truefalse
                    		high
                    checkip.dyndns.com
                    		132.226.247.73
                    		truefalse
                      		high
                      checkip.dyndns.org
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://checkip.dyndns.org/false
                          		high
                          https://reallyfreegeoip.org/xml/8.46.123.189false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://checkip.dyndns.com0RegSvcs.exe, 00000002.00000002.2359971170.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://reallyfreegeoip.org/xml/8.46.123.189lRegSvcs.exe, 00000002.00000002.2359971170.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://checkip.dyndns.comdRegSvcs.exe, 00000002.00000002.2359971170.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://checkip.dyndns.org/qSOA FEB 2025.exe, 00000000.00000002.1107321237.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2358237433.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                  		high
                                  http://reallyfreegeoip.orgdRegSvcs.exe, 00000002.00000002.2359971170.0000000002B4D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://reallyfreegeoip.org/xml/8.46.123.189dRegSvcs.exe, 00000002.00000002.2359971170.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://reallyfreegeoip.orgRegSvcs.exe, 00000002.00000002.2359971170.0000000002B4D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://checkip.dyndns.orgdRegSvcs.exe, 00000002.00000002.2359971170.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://reallyfreegeoip.orgRegSvcs.exe, 00000002.00000002.2359971170.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://checkip.dyndns.orgRegSvcs.exe, 00000002.00000002.2359971170.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2359971170.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://checkip.dyndns.comRegSvcs.exe, 00000002.00000002.2359971170.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://checkip.dyndns.org/dRegSvcs.exe, 00000002.00000002.2359971170.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000002.00000002.2359971170.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://api.telegram.org/bot-/sendDocument?chat_id=SOA FEB 2025.exe, 00000000.00000002.1107321237.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2358237433.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                      		high
                                                      https://reallyfreegeoip.org/xml/SOA FEB 2025.exe, 00000000.00000002.1107321237.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2358237433.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2359971170.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        104.21.16.1
                                                        		reallyfreegeoip.orgUnited States
                                                        		13335CLOUDFLARENETUSfalse
                                                        132.226.247.73
                                                        		checkip.dyndns.comUnited States
                                                        		16989UTMEMUSfalse

                                                        General Information

                                                        Joe Sandbox version:42.0.0 Malachite
                                                        Analysis ID:1638434
                                                        Start date and time:2025-03-14 11:54:23 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 5m 54s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:13
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:SOA FEB 2025.exe
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.evad.winEXE@3/2@2/2
                                                        EGA Information:
                                                        • Successful, ratio: 100%
                                                        HCA Information:
                                                        • Successful, ratio: 99%
                                                        • Number of executed functions: 47
                                                        • Number of non-executed functions: 289
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .exe

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                        • Excluded IPs from analysis (whitelisted): 52.149.20.212, 23.199.214.10
                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        No simulations

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        104.21.16.1https://t.co/6BJID9q49hGet hashmaliciousHTMLPhisherBrowse
                                                        • tcerfw.wittnng.sbs/favicon.ico
                                                        J8bamK92a3.exeGet hashmaliciousFormBookBrowse
                                                        • www.play-vanguard-nirvana.xyz/egs9/?9r=2m/uVQwqKH2EIWlawszTKzvIepBfVH/HI19qzylF05nDLsWuBLn1pb4DiFDKEzYOkwPMwL8bVA==&vZR=H2MpG0p
                                                        0t7MXNEfCg.exeGet hashmaliciousFormBookBrowse
                                                        • www.rbopisalive.cyou/2dxw/
                                                        g1V10ssekg.exeGet hashmaliciousFormBookBrowse
                                                        • www.sigaque.today/n61y/?UPV=BOlfS7N9ZWkGRIMRgNC6B6+WUTyM673eSjZAzliNIDKZHnAeT7/5dfTbZtimq+dx8K4CQjPcymznAMXPWSrBBYPYz0JSQDMkWzhvpNbFnW2/OcjAWw==&YrV=FlsDgRMx
                                                        0IrTeguWM7.exeGet hashmaliciousFormBookBrowse
                                                        • www.tumbetgirislinki.fit/ftbq/
                                                        Shipping Document.exeGet hashmaliciousFormBookBrowse
                                                        • www.rbopisalive.cyou/6m32/
                                                        Payment Record.exeGet hashmaliciousLokibotBrowse
                                                        • touxzw.ir/sccc/five/fre.php
                                                        Invoice Remittance ref27022558.exeGet hashmaliciousFormBookBrowse
                                                        • www.rbopisalive.cyou/a669/
                                                        ujXpculHYDYhc6i.exeGet hashmaliciousLokibotBrowse
                                                        • touxzw.ir/sss2/five/fre.php
                                                        368c6e62-b031-5b65-fd43-e7a610184138.emlGet hashmaliciousHTMLPhisherBrowse
                                                        • ce60771026585.oakdiiocese.org/p/298?session=770558a25b5d1fcbb8d81f113631d430f5b8d022cdc6d97cf6b16a412a3be9e6
                                                        132.226.247.73DON.ps1Get hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • checkip.dyndns.org/
                                                        INV000001203.scrGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • checkip.dyndns.org/
                                                        Statement FEB 2025pdf.com.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • checkip.dyndns.org/
                                                        file.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • checkip.dyndns.org/
                                                        SecuriteInfo.com.Win32.DropperX-gen.23511.10885.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • checkip.dyndns.org/
                                                        PO-2513203-PDF.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • checkip.dyndns.org/
                                                        Product Order Hirsch 1475.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • checkip.dyndns.org/
                                                        wecreatebestthingsentirelifeforgivenyou.htaGet hashmaliciousCobalt Strike, MSIL Logger, MassLogger RATBrowse
                                                        • checkip.dyndns.org/
                                                        DHL Shipping Details Ref ID 446331798008765975594-pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • checkip.dyndns.org/
                                                        PENDING PAYMENT FOR March SOA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • checkip.dyndns.org/

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        checkip.dyndns.comDON.ps1Get hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 132.226.247.73
                                                        believe.ps1Get hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 158.101.44.242
                                                        INV000001203.scrGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 132.226.247.73
                                                        SecuriteInfo.com.Win32.SpywareX-gen.21876.23851.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 193.122.6.168
                                                        Payment slip.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 193.122.6.168
                                                        Statement FEB 2025pdf.com.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 132.226.247.73
                                                        Purchase Order No.1364.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 158.101.44.242
                                                        Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 132.226.8.169
                                                        file.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 193.122.130.0
                                                        file.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 132.226.247.73
                                                        reallyfreegeoip.orgDON.ps1Get hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 104.21.32.1
                                                        believe.ps1Get hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.64.1
                                                        INV000001203.scrGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.48.1
                                                        SecuriteInfo.com.Win32.SpywareX-gen.21876.23851.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 104.21.112.1
                                                        Payment slip.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 104.21.16.1
                                                        Statement FEB 2025pdf.com.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 104.21.16.1
                                                        Purchase Order No.1364.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 104.21.112.1
                                                        Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 104.21.16.1
                                                        file.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 104.21.96.1
                                                        file.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 104.21.112.1

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        CLOUDFLARENETUShttp://zackoumpeels.netGet hashmaliciousUnknownBrowse
                                                        • 104.18.41.59
                                                        Client-built.exeGet hashmaliciousDiscord RatBrowse
                                                        • 162.159.130.234
                                                        SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeGet hashmaliciousScreenConnect ToolBrowse
                                                        • 172.67.152.68
                                                        SHIPPING DETAILS_PDF.exeGet hashmaliciousFormBookBrowse
                                                        • 172.67.165.31
                                                        DEVM25.exeGet hashmaliciousLummaC StealerBrowse
                                                        • 104.21.80.1
                                                        SecuriteInfo.com.W32.Lolbas.A.tr.29609.16284.exeGet hashmaliciousScreenConnect ToolBrowse
                                                        • 172.67.179.181
                                                        RATbuilderbyenwyry.exe.bin.exeGet hashmaliciousDiscord RatBrowse
                                                        • 162.159.134.234
                                                        https://verifica-sow-portafoglio.com/sow.phpGet hashmaliciousUnknownBrowse
                                                        • 172.67.69.226
                                                        RATbuilderbyenwyry.exe.bin.exeGet hashmaliciousDiscord RatBrowse
                                                        • 162.159.134.234
                                                        start.ps1Get hashmaliciousUnknownBrowse
                                                        • 104.21.22.104
                                                        UTMEMUSDON.ps1Get hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 132.226.247.73
                                                        INV000001203.scrGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 132.226.247.73
                                                        Statement FEB 2025pdf.com.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 132.226.247.73
                                                        Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 132.226.8.169
                                                        file.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 132.226.247.73
                                                        SOA Since OCT DEC 241738316681530012900.batGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 132.226.8.169
                                                        SecuriteInfo.com.Win32.DropperX-gen.23511.10885.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 132.226.247.73
                                                        PO-2513203-PDF.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 132.226.247.73
                                                        Product Order Hirsch 1475.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 132.226.247.73
                                                        wecreatebestthingsentirelifeforgivenyou.htaGet hashmaliciousCobalt Strike, MSIL Logger, MassLogger RATBrowse
                                                        • 132.226.247.73

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        54328bd36c14bd82ddaa0c04b25ed9adDON.ps1Get hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 104.21.16.1
                                                        believe.ps1Get hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.16.1
                                                        QUOTATION#006565.exeGet hashmaliciousRedLineBrowse
                                                        • 104.21.16.1
                                                        SecuriteInfo.com.Win32.SpywareX-gen.21876.23851.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 104.21.16.1
                                                        Payment slip.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 104.21.16.1
                                                        Mv Arkadiy ChernyshevCall for disch logs 8000cbms_pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 104.21.16.1
                                                        file.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 104.21.16.1
                                                        file.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 104.21.16.1
                                                        file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.16.1
                                                        Notice Letter 2025 03 12 02930920.docs.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 104.21.16.1

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Temp\Keily

                                                        Download File
                                                        Process:C:\Users\user\Desktop\SOA FEB 2025.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):92672
                                                        Entropy (8bit):6.702636555683043
                                                        Encrypted:false
                                                        SSDEEP:1536:TXW0zG6FQPS1RwJPicQXrl5le2OekJFmC7xg:60DFES1uJHQXrQ2tkfDg
                                                        MD5:330BC68B28046F311B27980A223EC709
                                                        SHA1:2A9ABD5EE79CC8B848C7330D479AFA549B37C38D
                                                        SHA-256:44845282761FE349997200FBA16D10322AB9EE8D172E2D770DA3F2B357BD759A
                                                        SHA-512:27676500CC2056E2DAE50822CC19DE860296B9EE33F6ED4028E78BED901A0E3BCE77C015DE01D11E6C3881FCADA790835457C423AD3C8E053BB51AD5B8E1D65E
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:...EYOUBI7BX.6D.EEZOUBMwBX6X6DUEEZOUBM7BX6X6DUEEZOUBM7BX6X6.UEETP.LM.K...7..d.2&&b=E-?D9[d6$+4 !b/Rb*C6.-;e...u/"S'v;U<`UEEZOUB.rBXzY5D.+..OUBM7BX6.6FTND.OU"L7BP6X6DUE.%NUBm7BX.Y6DU.EZoUBM5BX2X6DUEEZIUBM7BX6X.EUEGZOUBM7@XV.6DEEEJOUBM'BX&X6DUEEJOUBM7BX6X6D.:DZ.UBM7.Y6.3DUEEZOUBM7BX6X6DUEE.NUNM7BX6X6DUEEZOUBM7BX6X6DUEEZOUBM7BX6X6DUEEZOUBM7BX6X6dUEMZOUBM7BX6X6LuEE.OUBM7BX6X6D{1 ";UBM..Y6X.DUE%[OU@M7BX6X6DUEEZOUbM7"vD+D'UEE.JUBM.CX6^6DU'DZOUBM7BX6X6DU.EZ.{0([-;6X:DUEE.NUBO7BX^Y6DUEEZOUBM7BXvX6.UEEZOUBM7BX6X6DU.:[OUBM7.X6X4DPEm.OUv.7B[6X6.UEC*.UB.7BX6X6DUEEZOUBM7BX6X6DUEEZOUBM7BX6X6DUEEZOU.0.M.._7..EZOUBM6@[2^>LUEEZOUBMIBX6.6DU.EZObBM7gX6X[DUEaZOU<M7B&6X6 UEE(OUB,7BXqX6D:EEZ!UBMIBX6F4lJEEPesBO.bX6R6n.6dZO_.L7B\Ez6D_.GZOQ1n7BR.[6DQ6aZO_.I7B\E}6D_.@ZOQh.7A. ^6DN*}ZO_BN.W^6X-nsEGrvUBG7h~6[.QSEEAewBO.KX6\..&XEZI}.M7H,?X6F.OEZK.\O..X6R.f+VEZK~Bg.<L6X2oUog$ZUBI.Br.& DUAnZew<Z7B\.X.B.'E(.YB=4-96X0l.EEPg.BM1Br.XHJUEAX .BM=dr.X..UECZg.BM1Br.XHwUEAvH+qM7Fs &.DUA.\7UBKD.X6R..fEE^g.BM=Br.X..UECZg.BM1

                                                        C:\Users\user\AppData\Local\Temp\aut9835.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\SOA FEB 2025.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):60004
                                                        Entropy (8bit):7.894412712853886
                                                        Encrypted:false
                                                        SSDEEP:1536:/m3vAUMh2F5BEvV0cYbESGaQDWlkn1Yx+k8DMhHhHE1p:+3vC2XCewB39IhHhkj
                                                        MD5:06FE96F33ED87E666FADABAE3A9CA758
                                                        SHA1:BCEBE5FFDD8521C59E303E67481F24F79C860F9A
                                                        SHA-256:93AC78CE8348319415D68B683D512A6B312598F09067AF59032C6D3715C46434
                                                        SHA-512:993F71D8C0C9F0DD5715235C646F8A218795905C02FB8A2E91EA57402554A4B9115191C657A24E93D4B424BF7B34C89B03F89DE3AE2F744F469573A2F1494AAC
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:EA06..j.....Z.>.B...U.N.mD..h....w.V&..............*..}2....b...#1d...k...-..'5.$.I+.H$6)}J.*........]e.*...;..,..y..U..fkD.J...n&.j.:....dT.....\..U.[@...d.<..kV...kB.L.%.I....U...)q@.U..j%..E....z.bL.[.P..a3.%j....3l......S.......?.Uh.......Z,H......E;..0q.....<$..}V......y..+.I....(......j...'..<|.!.>.0.V..bt.i..<.x.V@%...bm.........}...&.J.....n......<G..Z...U.}@?....M.av....t.=....2.O..........LS.@..........x..I.....i(.-%..E..h..........U..P...T....6.M.....O........6.W..?.Fcn..[j..Q..-.....\..@.....h...:i..QN._@...;.W.M...u.G.]..*<..~.V......A...T....6.G"Rj..9}.Sf.d..$...]..O..@!..WV../.+<VyL.V&V....$.......)&.Q*..uj.w.V.!..b9B...=f.=.Kg3j......,.Z.6cB.C+..UV.A.H?.*l....G..0.j.......E..x.R%w.l.s.I...F.7..tOh.9..Y..Z....xP._..z:.yF@....6.Um...>.B..(U..b=.........6.Um..6....+.J............`.M'....b.ZY+Q..QE..)....ir.J.tJ...k..h.{M....(.Z=..2...:.r....-...7WW.M.U... ...`......XQ.s......Rz....p.....Vx.......D..U..%..&....V..,..!....*...'.....

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                        Entropy (8bit):7.910445302302918
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 99.39%
                                                        • UPX compressed Win32 Executable (30571/9) 0.30%
                                                        • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        File name:SOA FEB 2025.exe
                                                        File size:504'320 bytes
                                                        MD5:ed5fe07a29c69e6bf26e20460cbdfcaf
                                                        SHA1:12305dca957f7bb07e9ec1c6e6c7229ad50d1275
                                                        SHA256:90bbf74c53f21c5eb3102a1851b413bb19a80bb76f461efc2f9c5c3d96f1b93b
                                                        SHA512:0d39192bfba033570b796cc14cd9cfb5104854359e751fc7afe48ae6517082bea234d5aaacb13e90e1a8eb2b74976997c93bf97b5b9736d9b4884a8bf8e31194
                                                        SSDEEP:12288:7quErHF6xC9D6DmR1J98w4oknqOOCyQf270pc+eUXRf68kAc:Crl6kD68JmlotQfo/GRfRxc
                                                        TLSH:C6B412998AD2E926C665A3748039CC904AB57833CF896B5DC758F25FFC20347E80BB5D
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                        File Icon

                                                        Icon Hash:aaf3e3e3938382a0

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x4fd9b0
                                                        Entrypoint Section:UPX1
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x67D37354 [Fri Mar 14 00:07:48 2025 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:5
                                                        OS Version Minor:1
                                                        File Version Major:5
                                                        File Version Minor:1
                                                        Subsystem Version Major:5
                                                        Subsystem Version Minor:1
                                                        Import Hash:fc6683d30d9f25244a50fd5357825e79

                                                        Entrypoint Preview

                                                        Instruction
                                                        pushad
                                                        mov esi, 004A8000h
                                                        lea edi, dword ptr [esi-000A7000h]
                                                        push edi
                                                        jmp 00007F52F07D8B7Dh
                                                        nop
                                                        mov al, byte ptr [esi]
                                                        inc esi
                                                        mov byte ptr [edi], al
                                                        inc edi
                                                        add ebx, ebx
                                                        jne 00007F52F07D8B79h
                                                        mov ebx, dword ptr [esi]
                                                        sub esi, FFFFFFFCh
                                                        adc ebx, ebx
                                                        jc 00007F52F07D8B5Fh
                                                        mov eax, 00000001h
                                                        add ebx, ebx
                                                        jne 00007F52F07D8B79h
                                                        mov ebx, dword ptr [esi]
                                                        sub esi, FFFFFFFCh
                                                        adc ebx, ebx
                                                        adc eax, eax
                                                        add ebx, ebx
                                                        jnc 00007F52F07D8B7Dh
                                                        jne 00007F52F07D8B9Ah
                                                        mov ebx, dword ptr [esi]
                                                        sub esi, FFFFFFFCh
                                                        adc ebx, ebx
                                                        jc 00007F52F07D8B91h
                                                        dec eax
                                                        add ebx, ebx
                                                        jne 00007F52F07D8B79h
                                                        mov ebx, dword ptr [esi]
                                                        sub esi, FFFFFFFCh
                                                        adc ebx, ebx
                                                        adc eax, eax
                                                        jmp 00007F52F07D8B46h
                                                        add ebx, ebx
                                                        jne 00007F52F07D8B79h
                                                        mov ebx, dword ptr [esi]
                                                        sub esi, FFFFFFFCh
                                                        adc ebx, ebx
                                                        adc ecx, ecx
                                                        jmp 00007F52F07D8BC4h
                                                        xor ecx, ecx
                                                        sub eax, 03h
                                                        jc 00007F52F07D8B83h
                                                        shl eax, 08h
                                                        mov al, byte ptr [esi]
                                                        inc esi
                                                        xor eax, FFFFFFFFh
                                                        je 00007F52F07D8BE7h
                                                        sar eax, 1
                                                        mov ebp, eax
                                                        jmp 00007F52F07D8B7Dh
                                                        add ebx, ebx
                                                        jne 00007F52F07D8B79h
                                                        mov ebx, dword ptr [esi]
                                                        sub esi, FFFFFFFCh
                                                        adc ebx, ebx
                                                        jc 00007F52F07D8B3Eh
                                                        inc ecx
                                                        add ebx, ebx
                                                        jne 00007F52F07D8B79h
                                                        mov ebx, dword ptr [esi]
                                                        sub esi, FFFFFFFCh
                                                        adc ebx, ebx
                                                        jc 00007F52F07D8B30h
                                                        add ebx, ebx
                                                        jne 00007F52F07D8B79h
                                                        mov ebx, dword ptr [esi]
                                                        sub esi, FFFFFFFCh
                                                        adc ebx, ebx
                                                        adc ecx, ecx
                                                        add ebx, ebx
                                                        jnc 00007F52F07D8B61h
                                                        jne 00007F52F07D8B7Bh
                                                        mov ebx, dword ptr [esi]
                                                        sub esi, FFFFFFFCh
                                                        adc ebx, ebx
                                                        jnc 00007F52F07D8B56h
                                                        add ecx, 02h
                                                        cmp ebp, FFFFFB00h
                                                        adc ecx, 02h
                                                        lea edx, dword ptr [edi+ebp]
                                                        cmp ebp, FFFFFFFCh
                                                        jbe 00007F52F07D8B80h
                                                        mov al, byte ptr [edx]

                                                        Rich Headers

                                                        Programming Language:
                                                        • [ASM] VS2013 build 21005
                                                        • [ C ] VS2013 build 21005
                                                        • [C++] VS2013 build 21005
                                                        • [ C ] VS2008 SP1 build 30729
                                                        • [IMP] VS2008 SP1 build 30729
                                                        • [ASM] VS2013 UPD4 build 31101
                                                        • [RES] VS2013 build 21005
                                                        • [LNK] VS2013 UPD4 build 31101

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x122d540x424.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xfe0000x24d54.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1231780xc.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xfdb940x48UPX1
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        UPX00x10000xa70000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        UPX10xa80000x560000x55c00c67ca280ea3bc35aa7d3a9661d69520aFalse0.9883638165087464data7.936729694937026IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rsrc0xfe0000x260000x25200ac3d96445943c88e1be32f0f32967fe2False0.8635245686026936data7.733968770787856IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_ICON0xfe5ac0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                        RT_ICON0xfe6d80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                        RT_ICON0xfe8040x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                        RT_ICON0xfe9300x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                        RT_ICON0xfec1c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                        RT_ICON0xfed480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                        RT_ICON0xffbf40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                        RT_ICON0x1004a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                        RT_ICON0x100a0c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                        RT_ICON0x102fb80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                        RT_ICON0x1040640x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                        RT_MENU0xcd4a00x50dataEnglishGreat Britain1.1375
                                                        RT_STRING0xcd4f00x594OpenPGP Public KeyEnglishGreat Britain1.007703081232493
                                                        RT_STRING0xcda840x68adataEnglishGreat Britain1.0065710872162486
                                                        RT_STRING0xce1100x490dataEnglishGreat Britain1.009417808219178
                                                        RT_STRING0xce5a00x5fcdataEnglishGreat Britain1.0071801566579635
                                                        RT_STRING0xceb9c0x65cdataEnglishGreat Britain1.0067567567567568
                                                        RT_STRING0xcf1f80x466dataEnglishGreat Britain1.0097690941385435
                                                        RT_STRING0xcf6600x158dataEnglishGreat Britain1.0319767441860466
                                                        RT_RCDATA0x1044d00x1e2e9data1.0003720930232558
                                                        RT_GROUP_ICON0x1227c00x76dataEnglishGreat Britain0.6610169491525424
                                                        RT_GROUP_ICON0x12283c0x14dataEnglishGreat Britain1.25
                                                        RT_GROUP_ICON0x1228540x14dataEnglishGreat Britain1.15
                                                        RT_GROUP_ICON0x12286c0x14dataEnglishGreat Britain1.25
                                                        RT_VERSION0x1228840xdcdataEnglishGreat Britain0.6181818181818182
                                                        RT_MANIFEST0x1229640x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                        Imports

                                                        DLLImport
                                                        KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                                                        ADVAPI32.dllGetAce
                                                        COMCTL32.dllImageList_Remove
                                                        COMDLG32.dllGetOpenFileNameW
                                                        GDI32.dllLineTo
                                                        IPHLPAPI.DLLIcmpSendEcho
                                                        MPR.dllWNetUseConnectionW
                                                        ole32.dllCoGetObject
                                                        OLEAUT32.dllVariantInit
                                                        PSAPI.DLLGetProcessMemoryInfo
                                                        SHELL32.dllDragFinish
                                                        USER32.dllGetDC
                                                        USERENV.dllLoadUserProfileW
                                                        UxTheme.dllIsThemeActive
                                                        VERSION.dllVerQueryValueW
                                                        WININET.dllFtpOpenFileW
                                                        WINMM.dlltimeGetTime
                                                        WSOCK32.dllconnect

                                                        Version Infos

                                                        DescriptionData
                                                        Translation0x0809 0x04b0

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishGreat Britain

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2025-03-14T11:55:29.930202+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149706132.226.247.7380TCP

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Mar 14, 2025 11:55:22.751738071 CET4970680192.168.2.11132.226.247.73
                                                        Mar 14, 2025 11:55:22.757213116 CET8049706132.226.247.73192.168.2.11
                                                        Mar 14, 2025 11:55:22.757292032 CET4970680192.168.2.11132.226.247.73
                                                        Mar 14, 2025 11:55:22.757534981 CET4970680192.168.2.11132.226.247.73
                                                        Mar 14, 2025 11:55:22.762579918 CET8049706132.226.247.73192.168.2.11
                                                        Mar 14, 2025 11:55:28.483824015 CET8049706132.226.247.73192.168.2.11
                                                        Mar 14, 2025 11:55:28.488272905 CET4970680192.168.2.11132.226.247.73
                                                        Mar 14, 2025 11:55:28.493042946 CET8049706132.226.247.73192.168.2.11
                                                        Mar 14, 2025 11:55:29.877007008 CET8049706132.226.247.73192.168.2.11
                                                        Mar 14, 2025 11:55:29.887227058 CET49707443192.168.2.11104.21.16.1
                                                        Mar 14, 2025 11:55:29.887264967 CET44349707104.21.16.1192.168.2.11
                                                        Mar 14, 2025 11:55:29.887346029 CET49707443192.168.2.11104.21.16.1
                                                        Mar 14, 2025 11:55:29.897756100 CET49707443192.168.2.11104.21.16.1
                                                        Mar 14, 2025 11:55:29.897772074 CET44349707104.21.16.1192.168.2.11
                                                        Mar 14, 2025 11:55:29.930202007 CET4970680192.168.2.11132.226.247.73
                                                        Mar 14, 2025 11:55:30.359994888 CET44349707104.21.16.1192.168.2.11
                                                        Mar 14, 2025 11:55:30.360146046 CET49707443192.168.2.11104.21.16.1
                                                        Mar 14, 2025 11:55:30.367141008 CET49707443192.168.2.11104.21.16.1
                                                        Mar 14, 2025 11:55:30.367162943 CET44349707104.21.16.1192.168.2.11
                                                        Mar 14, 2025 11:55:30.367449999 CET44349707104.21.16.1192.168.2.11
                                                        Mar 14, 2025 11:55:30.414191008 CET49707443192.168.2.11104.21.16.1
                                                        Mar 14, 2025 11:55:30.420583010 CET49707443192.168.2.11104.21.16.1
                                                        Mar 14, 2025 11:55:30.464335918 CET44349707104.21.16.1192.168.2.11
                                                        Mar 14, 2025 11:55:30.528318882 CET44349707104.21.16.1192.168.2.11
                                                        Mar 14, 2025 11:55:30.528383970 CET44349707104.21.16.1192.168.2.11
                                                        Mar 14, 2025 11:55:30.528516054 CET49707443192.168.2.11104.21.16.1
                                                        Mar 14, 2025 11:55:30.536389112 CET49707443192.168.2.11104.21.16.1
                                                        Mar 14, 2025 11:56:34.878388882 CET8049706132.226.247.73192.168.2.11
                                                        Mar 14, 2025 11:56:34.878493071 CET4970680192.168.2.11132.226.247.73
                                                        Mar 14, 2025 11:57:09.883219004 CET4970680192.168.2.11132.226.247.73
                                                        Mar 14, 2025 11:57:09.887984991 CET8049706132.226.247.73192.168.2.11

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Mar 14, 2025 11:55:22.739162922 CET4977553192.168.2.111.1.1.1
                                                        Mar 14, 2025 11:55:22.745796919 CET53497751.1.1.1192.168.2.11
                                                        Mar 14, 2025 11:55:29.878954887 CET5908053192.168.2.111.1.1.1
                                                        Mar 14, 2025 11:55:29.886112928 CET53590801.1.1.1192.168.2.11

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Mar 14, 2025 11:55:22.739162922 CET192.168.2.111.1.1.10x90b8Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                        Mar 14, 2025 11:55:29.878954887 CET192.168.2.111.1.1.10xc517Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Mar 14, 2025 11:55:22.745796919 CET1.1.1.1192.168.2.110x90b8No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                        Mar 14, 2025 11:55:22.745796919 CET1.1.1.1192.168.2.110x90b8No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                        Mar 14, 2025 11:55:22.745796919 CET1.1.1.1192.168.2.110x90b8No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                        Mar 14, 2025 11:55:22.745796919 CET1.1.1.1192.168.2.110x90b8No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                        Mar 14, 2025 11:55:22.745796919 CET1.1.1.1192.168.2.110x90b8No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                        Mar 14, 2025 11:55:22.745796919 CET1.1.1.1192.168.2.110x90b8No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                        Mar 14, 2025 11:55:29.886112928 CET1.1.1.1192.168.2.110xc517No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                        Mar 14, 2025 11:55:29.886112928 CET1.1.1.1192.168.2.110xc517No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                        Mar 14, 2025 11:55:29.886112928 CET1.1.1.1192.168.2.110xc517No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                        Mar 14, 2025 11:55:29.886112928 CET1.1.1.1192.168.2.110xc517No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                        Mar 14, 2025 11:55:29.886112928 CET1.1.1.1192.168.2.110xc517No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                        Mar 14, 2025 11:55:29.886112928 CET1.1.1.1192.168.2.110xc517No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                        Mar 14, 2025 11:55:29.886112928 CET1.1.1.1192.168.2.110xc517No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • reallyfreegeoip.org
                                                        • checkip.dyndns.org

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.1149706132.226.247.73806620C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                        TimestampBytes transferredDirectionData
                                                        Mar 14, 2025 11:55:22.757534981 CET151OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Connection: Keep-Alive
                                                        Mar 14, 2025 11:55:28.483824015 CET273INHTTP/1.1 200 OK
                                                        Date: Fri, 14 Mar 2025 10:55:28 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 104
                                                        Connection: keep-alive
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                        Mar 14, 2025 11:55:28.488272905 CET127OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Mar 14, 2025 11:55:29.877007008 CET273INHTTP/1.1 200 OK
                                                        Date: Fri, 14 Mar 2025 10:55:29 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 104
                                                        Connection: keep-alive
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.1149707104.21.16.14436620C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-03-14 10:55:30 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                        Host: reallyfreegeoip.org
                                                        Connection: Keep-Alive
                                                        2025-03-14 10:55:30 UTC855INHTTP/1.1 200 OK
                                                        Date: Fri, 14 Mar 2025 10:55:30 GMT
                                                        Content-Type: text/xml
                                                        Content-Length: 362
                                                        Connection: close
                                                        Age: 99996
                                                        Cache-Control: max-age=31536000
                                                        cf-cache-status: HIT
                                                        last-modified: Thu, 13 Mar 2025 07:08:53 GMT
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SzuY5xXpPiLKOrRlaAPmu1fMsKK4YxdKdKMpHGQ3UZqvtC8JBiTFlIn3HYATFONNT%2BDyGj4FilZgAfG3InZ2KHh4ConHglENkkuMBbP5ha7IYslJGo1m%2F%2FXC5%2BnrKUhjqo4vLSuE"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 92033d377ec18c8d-EWR
                                                        alt-svc: h3=":443"; ma=86400
                                                        server-timing: cfL4;desc="?proto=TCP&rtt=2013&min_rtt=2011&rtt_var=758&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1439842&cwnd=250&unsent_bytes=0&cid=02092f8b90a14e40&ts=180&x=0"
                                                        2025-03-14 10:55:30 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                        Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:06:55:20
                                                        Start date:14/03/2025
                                                        Path:C:\Users\user\Desktop\SOA FEB 2025.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\SOA FEB 2025.exe"
                                                        Imagebase:0x410000
                                                        File size:504'320 bytes
                                                        MD5 hash:ED5FE07A29C69E6BF26E20460CBDFCAF
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1107321237.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1107321237.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000000.00000002.1107321237.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1107321237.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1107321237.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.1107321237.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:2
                                                        Start time:06:55:21
                                                        Start date:14/03/2025
                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\SOA FEB 2025.exe"
                                                        Imagebase:0x760000
                                                        File size:45'984 bytes
                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.2358237433.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2358237433.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000002.00000002.2358237433.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2358237433.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2358237433.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2359971170.0000000002C0E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:high
                                                        Has exited:false

                                                        Disassembly

                                                        Reset < >