Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report SOA.exe

Overview

General Information

Sample Name:SOA.exe
Analysis ID:458820
MD5:5fbbec81658402ee0e3cac046c268c2d
SHA1:af06f581f042f5102bd375bf3632b462bef144d9
SHA256:deeaa200547c6ffa325f662ec9b9ddcf0cf127826da37c2e5c514be84da26e88
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Process Start Without DLL
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • SOA.exe (PID: 160 cmdline: 'C:\Users\user\Desktop\SOA.exe' MD5: 5FBBEC81658402EE0E3CAC046C268C2D)
    • RegSvcs.exe (PID: 5476 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • NXLun.exe (PID: 5092 cmdline: 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 4664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • NXLun.exe (PID: 988 cmdline: 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 4500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "paola.micheli@copangroup.xyz", "Password": "gibson.1990", "Host": "us2.smtp.mailhostbox.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.503431732.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000C.00000002.503431732.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000000C.00000002.505245817.0000000002A61000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: RegSvcs.exe PID: 5476JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RegSvcs.exe PID: 5476JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            12.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              12.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Suspicious Process Start Without DLLShow sources
                Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\SOA.exe' , ParentImage: C:\Users\user\Desktop\SOA.exe, ParentProcessId: 160, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5476
                Sigma detected: Possible Applocker BypassShow sources
                Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\SOA.exe' , ParentImage: C:\Users\user\Desktop\SOA.exe, ParentProcessId: 160, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5476

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 12.2.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "paola.micheli@copangroup.xyz", "Password": "gibson.1990", "Host": "us2.smtp.mailhostbox.com"}
                Multi AV Scanner detection for submitted fileShow sources
                Source: SOA.exeVirustotal: Detection: 67%Perma Link
                Source: SOA.exeMetadefender: Detection: 51%Perma Link
                Source: SOA.exeReversingLabs: Detection: 82%
                Machine Learning detection for sampleShow sources
                Source: SOA.exeJoe Sandbox ML: detected
                Source: 12.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: SOA.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: SOA.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: RegSvcs.pdb, source: NXLun.exe, 00000010.00000000.344871789.00000000005C2000.00000002.00020000.sdmp, NXLun.exe, 00000013.00000002.364874581.0000000000E52000.00000002.00020000.sdmp, NXLun.exe.12.dr
                Source: Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe.12.dr
                Source: global trafficTCP traffic: 192.168.2.5:49728 -> 208.91.198.143:587
                Source: Joe Sandbox ViewIP Address: 208.91.198.143 208.91.198.143
                Source: global trafficTCP traffic: 192.168.2.5:49728 -> 208.91.198.143:587
                Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com
                Source: RegSvcs.exe, 0000000C.00000002.505245817.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: RegSvcs.exe, 0000000C.00000002.505245817.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: RegSvcs.exe, 0000000C.00000002.511073100.0000000005DE0000.00000004.00000001.sdmpString found in binary or memory: http://crl.usertrust.co1
                Source: RegSvcs.exe, 0000000C.00000002.506726331.0000000002DC8000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                Source: SOA.exe, 00000001.00000003.238456816.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: RegSvcs.exe, 0000000C.00000002.505245817.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://hFHvHh.com
                Source: RegSvcs.exe, 0000000C.00000002.506726331.0000000002DC8000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0A
                Source: RegSvcs.exe, 0000000C.00000002.506726331.0000000002DC8000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                Source: SOA.exe, 00000001.00000003.246491312.00000000059CD000.00000004.00000001.sdmp, SOA.exe, 00000001.00000003.245860903.00000000059C9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: SOA.exe, 00000001.00000003.246491312.00000000059CD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: SOA.exe, 00000001.00000003.238090933.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: SOA.exe, 00000001.00000003.238090933.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc
                Source: SOA.exe, 00000001.00000003.238171108.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comn_
                Source: SOA.exe, 00000001.00000003.238171108.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comx
                Source: SOA.exe, 00000001.00000003.239742559.00000000059C4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.c4/
                Source: SOA.exe, 00000001.00000003.239721030.00000000059FD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: SOA.exe, 00000001.00000003.240176406.00000000059CB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn1
                Source: SOA.exe, 00000001.00000003.240176406.00000000059CB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnf
                Source: SOA.exe, 00000001.00000003.239721030.00000000059FD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cno
                Source: SOA.exe, 00000001.00000003.242664877.00000000059C4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: SOA.exe, 00000001.00000003.242664877.00000000059C4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/(3
                Source: SOA.exe, 00000001.00000003.242664877.00000000059C4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/?3
                Source: SOA.exe, 00000001.00000003.242664877.00000000059C4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ita
                Source: SOA.exe, 00000001.00000003.242664877.00000000059C4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: SOA.exe, 00000001.00000003.242664877.00000000059C4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/C3
                Source: SOA.exe, 00000001.00000003.242664877.00000000059C4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Z3
                Source: SOA.exe, 00000001.00000003.237896138.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: SOA.exe, 00000001.00000003.237896138.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.commit
                Source: SOA.exe, 00000001.00000003.239198375.00000000059C6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: SOA.exe, 00000001.00000003.239198375.00000000059C6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krP
                Source: SOA.exe, 00000001.00000003.239198375.00000000059C6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krll
                Source: SOA.exe, 00000001.00000003.238512936.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: SOA.exe, 00000001.00000003.238512936.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com5
                Source: SOA.exe, 00000001.00000003.238512936.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comFQ
                Source: SOA.exe, 00000001.00000003.238456816.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comM
                Source: SOA.exe, 00000001.00000003.238512936.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comX
                Source: SOA.exe, 00000001.00000003.238512936.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comtn
                Source: RegSvcs.exe, 0000000C.00000002.505245817.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                Source: RegSvcs.exe, 0000000C.00000002.505245817.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                Source: RegSvcs.exe, 0000000C.00000002.506492165.0000000002D8B000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.505245817.0000000002A61000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.506900421.0000000002DF5000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.506706132.0000000002DC2000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.506871057.0000000002DEC000.00000004.00000001.sdmpString found in binary or memory: https://f5KiqD21KxI.com
                Source: RegSvcs.exe, 0000000C.00000002.506726331.0000000002DC8000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                Source: RegSvcs.exe, 0000000C.00000002.503431732.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: RegSvcs.exe, 0000000C.00000002.505245817.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                Spam, unwanted Advertisements and Ransom Demands:

                barindex
                Modifies the hosts fileShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                System Summary:

                barindex
                .NET source code contains very large array initializationsShow sources
                Source: 12.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b96D7ABB9u002d40EDu002d48D0u002dBF36u002dDF423462F388u007d/u0032241B3BCu002dF0A1u002d4679u002d849Bu002d1DE40CAF4318.csLarge array initialization: .cctor: array initializer size 11962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00DD302312_2_00DD3023
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00DD082012_2_00DD0820
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00DD6B6812_2_00DD6B68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00DD1F8812_2_00DD1F88
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00DD72B112_2_00DD72B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00DD73B012_2_00DD73B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00DD9CA012_2_00DD9CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00DDCFD812_2_00DDCFD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_02A247A012_2_02A247A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_02A246B012_2_02A246B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_02A2D66112_2_02A2D661
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                Source: SOA.exe, 00000001.00000000.234647898.0000000000672000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUmAlQuraCalend.exe> vs SOA.exe
                Source: SOA.exeBinary or memory string: OriginalFilenameUmAlQuraCalend.exe> vs SOA.exe
                Source: SOA.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: 12.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 12.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@7/6@1/1
                Source: C:\Users\user\Desktop\SOA.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SOA.exe.logJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4500:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4664:120:WilError_01
                Source: C:\Users\user\Desktop\SOA.exeMutant created: \Sessions\1\BaseNamedObjects\ECwlzqmmlQxFcZwGi
                Source: SOA.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\SOA.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\SOA.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: SOA.exeVirustotal: Detection: 67%
                Source: SOA.exeMetadefender: Detection: 51%
                Source: SOA.exeReversingLabs: Detection: 82%
                Source: unknownProcess created: C:\Users\user\Desktop\SOA.exe 'C:\Users\user\Desktop\SOA.exe'
                Source: C:\Users\user\Desktop\SOA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\SOA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\SOA.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: SOA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: SOA.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: RegSvcs.pdb, source: NXLun.exe, 00000010.00000000.344871789.00000000005C2000.00000002.00020000.sdmp, NXLun.exe, 00000013.00000002.364874581.0000000000E52000.00000002.00020000.sdmp, NXLun.exe.12.dr
                Source: Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe.12.dr
                Source: SOA.exeStatic PE information: 0x986C96A7 [Fri Jan 13 20:08:07 2051 UTC]
                Source: initial sampleStatic PE information: section name: .text entropy: 7.21124582486
                Source: SOA.exe, K1kqYmESoxCghLepC6/MbahuCdWQiZgLqx8OT.csHigh entropy of concatenated method names: '.cctor', '.ctor', '.ctor', 'QgeO1HDGWl', 'CAkOZwem2w', 'WmUOhXQSVZ', 'DPqO8VQyxy', 'csYOA4F7Fo', 'FWvO27s4fR', 'Pg0OF467PQ'
                Source: SOA.exe, yqc03Je2CkLL23Pm5b/HcDHEjnlaptS6w6lv2.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'TtQhJCA7VM', 'C5NTANWYtQ', 'PkbT97fW2c', 'TmeTFN4ih3', 'wweTznjyao', 'i1Sl5CBlv9', 'xABlbkeclU', 'RHilmsZOUL'
                Source: SOA.exe, MiGAgO78RuiJcIKTVX/ILsPMNNcBbOPRGrQow.csHigh entropy of concatenated method names: 'S8HAqpxpUi', 'uj5AAYIo3X', '.ctor', 'l7Mqs3DKkO', 'rFHqXXQ2ps', 'Mk1qUk88Ii', 'BRGq3PZDVX', 'eW9qwHJQ3f', 'LryqgYe1V6', 'gF3qJqbDhs'
                Source: SOA.exe, evK7yhoaqmaiHxKHNB/pFpZxUK1oJ1rRo7k9d.csHigh entropy of concatenated method names: '.ctor', 'u7hhRaoxhR', 'Dispose', 'ahIhtTvewf', 'SrYhSsYNBO', 'L9MhHhObQ0', 'ng1hxc23QI', 'AFIhC5yH71', 'jEMhn31agr', 'Ab9TP9u40C'
                Source: SOA.exe, t3OAi3PAnHtinoqhWP/hWECR7aAHbZLqDgQD0.csHigh entropy of concatenated method names: '.ctor', 'Save', 'HoquhWPfN', 'Load', 'kShLNZ0bh', 'CaqV9Ndqh', 'RIOBk3TEY', 'ol2bo6pMMpBljt4guV', 'SPGZNqRm9Z2w7mCbbS', 'erneVwFtbiFsESJ78a'
                Source: SOA.exe, odGVC9Dap7E2HJCVHB/l5C44U5EVbBo1ZLcOl.csHigh entropy of concatenated method names: 'LJBxRnKgyc', 'fbjxrttpEs', 'fFVxLRjW46', 'hAtx2kJaDb', 'YOrxJMhdF8', 'jU3xKHwDs1', 'wteZfDbOC8', 'yQWZDEcS3M', 's8AZd45FM1', '.ctor'
                Source: SOA.exe, cXIOk3fTEYNWfummIF/oNQShNlZ0bhBaq9Ndq.csHigh entropy of concatenated method names: '.ctor', 'HnLXBElhJ', 'u8RIcOxm4', 'GU16oJ1rR', 'KG0397yab', 'M36jr8xoS', 'WhVkcUXb3', 'u6rg8bXPZ', 'kIhzrtmRF', 'GEwZ1mFAD0'
                Source: SOA.exe, EkDSdjUU3XOeX1mifG/KQdWswIU0SugK6bcsw.csHigh entropy of concatenated method names: 'SRmANEQVky', 'S7vA7l6Qa9', 'f0lAXXNZh3', 'Ni3AIqTacX', 'MixA384yof', 'A4NAjLxosL', 'J26Aki02Ky', 'KokAgMLJpt', 'wpoAzyHQbI', 'l1e21lNcq5'
                Source: SOA.exe, oLquStZOubXpvBYbc3S/akNg04ZZ67PQlecPd55.csHigh entropy of concatenated method names: 'jNw24LIxmh', 'Nf42TiECPy', 'uc62WJenyr', 'ah02uoBenK', 'fnL2LImEJf', 'TYA2VEdt4C', 'xkr2BgQFMc', 'Bdh2RPZoD4', 'D762tN1cX5', 'cqO2SpjImp'
                Source: SOA.exe, E0uGhfZVCNOuCJwLq5L/YagVVlZLU4q1Jnwv2fD.csHigh entropy of concatenated method names: 'EFY5nfNH80', 'FSG5ep2q98', '.ctor', 'get_BackColor', 'set_BackColor', 'get_BackgroundImage', 'set_BackgroundImage', 'get_BackgroundImageLayout', 'set_BackgroundImageLayout', 'get_Font'
                Source: SOA.exe, wxm5s9ZRlwDRQwODg68/zc71DsZBxNAblAAxuQl.csHigh entropy of concatenated method names: '.ctor', 'lpbNzIRA1v', 'e5jy5F1Mdl', 'Jrg5X6doPZ', 'RY65IyT1w5', 'GetEditControl', 'GetEditedValue', 'LoadValues', 'SetEditStyle', 'GetEditStyle'
                Source: SOA.exe, Ntp9JjbSFJJEtTbr06/bntxGmr38rW9hg5bW7.csHigh entropy of concatenated method names: '.ctor', 'yJeqDPMkPl', 'V2vqdM8GqZ', 'W8oqEy4Tnf', 'Hl3qKLta8J', 'qxEqoitchO', 'aRDg3xQLdEv98kX6A1y', 'UE6PFWQO9Zwq2J236Fh', 'nxelxaQ7PZSmynAY2KY', 'liLP4sQCd41moj2JnYW'
                Source: SOA.exe, hqMFjqZTFYUBeMW6mEh/faxnvcZ4oaXjKjPMnLk.csHigh entropy of concatenated method names: '.ctor', 'e7gfLCKDFm', 'NF9fVNsHgV', 'lU2fRhciyX', 'dsRftjqhAI', 'get_Multiline', 'set_Multiline', 'wgYP6lS062', 'HCrProAxFI', 'WydPbqDv1L'
                Source: SOA.exe, xRxAg5ZS1IaHr0CufDV/AGQDmuZtAY2Ic1nWU8F.csHigh entropy of concatenated method names: '.ctor', 'yKXD1WCgEg', 'iBQDZd7fAU', 'qBXDhVd33C', 'LHfD8jfgV9', 'RWR5g9mr1Y', 'KBt5JHOSNK', 'l495zTYngw', 'bQSMROajXhFqNO1TO53', 'AipFWQayOuhIR78IeJC'
                Source: SOA.exe, ile37vZv5obHKjTQSQU/KZxYRqZMaGyXUHLDa0U.csHigh entropy of concatenated method names: 'u4TP5DkqL8', 'vC1PDLDg2T', 'A7TPOpZXp3', 'NX5PhxKfw3', 'CtsPqTywsO', 'u0TPAoJtwn', 'COwP26eLrU', 'sjZPphfmBv', 'HeePFEN8UC', 'Q1qP9lMuAv'
                Source: SOA.exe, oyPyv4ZE2Fdh7oQfbNB/ebSkmGZdxkfSrked1c9.csHigh entropy of concatenated method names: 'VCcFNaoIr1', 'MmDF7q68rO', 'oZPFsE1R4F', 'o9NFX447FS', 'HsPFIkDYrU', 'get_Multiline', 'set_Multiline', 'get_Text', 'set_Text', '.ctor'
                Source: SOA.exe, ESjVLIZoIrlLeYRtQTj/JhjeGPZKjepRqEkTZs9.csHigh entropy of concatenated method names: '.ctor', 'bUoGmLXvcM', 'zYiGYMUCAQ', 'Cb6GOQNt1K', 'caTGh15m13', 'dj7G8n0AZp', 'I5SGqDPU9r', 'C8NGA28oZI', 'D4kG2QKLX0', 'CNkGpsSa7Q'
                Source: SOA.exe, sy4AKiZ86GXm37TX1Js/rDI7QHZhTysxRRHpJm1.csHigh entropy of concatenated method names: '.ctor', 'NJPFY7k1m6', 'IeAFvoLNba', 'cFnFTQVmAn', 'InitializeEditingControl', 'get_EditType', 'get_ValueType', 'get_DefaultNewRowValue', 'y33KY39OBhMRP8tPdf7', 'EAZdON9XGFedEKql69V'
                Source: SOA.exe, UleDERZYNHygWjPuHwG/nyN2Q3ZmLOvixFvX59Y.csHigh entropy of concatenated method names: 'Dispose', 'WS0QVDXKwp', 'LMWQBCMSo8', 'uLaQR98R5E', 'VnPQtKW54P', 'get_MinimumSize', 'set_MinimumSize', 'g58avRYXC2', 'RF9a4dKvqM', 'GpkaWtmfex'
                Source: 1.0.SOA.exe.670000.0.unpack, K1kqYmESoxCghLepC6/MbahuCdWQiZgLqx8OT.csHigh entropy of concatenated method names: '.cctor', '.ctor', '.ctor', 'QgeO1HDGWl', 'CAkOZwem2w', 'WmUOhXQSVZ', 'DPqO8VQyxy', 'csYOA4F7Fo', 'FWvO27s4fR', 'Pg0OF467PQ'
                Source: 1.0.SOA.exe.670000.0.unpack, yqc03Je2CkLL23Pm5b/HcDHEjnlaptS6w6lv2.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'TtQhJCA7VM', 'C5NTANWYtQ', 'PkbT97fW2c', 'TmeTFN4ih3', 'wweTznjyao', 'i1Sl5CBlv9', 'xABlbkeclU', 'RHilmsZOUL'
                Source: 1.0.SOA.exe.670000.0.unpack, MiGAgO78RuiJcIKTVX/ILsPMNNcBbOPRGrQow.csHigh entropy of concatenated method names: 'S8HAqpxpUi', 'uj5AAYIo3X', '.ctor', 'l7Mqs3DKkO', 'rFHqXXQ2ps', 'Mk1qUk88Ii', 'BRGq3PZDVX', 'eW9qwHJQ3f', 'LryqgYe1V6', 'gF3qJqbDhs'
                Source: 1.0.SOA.exe.670000.0.unpack, t3OAi3PAnHtinoqhWP/hWECR7aAHbZLqDgQD0.csHigh entropy of concatenated method names: '.ctor', 'Save', 'HoquhWPfN', 'Load', 'kShLNZ0bh', 'CaqV9Ndqh', 'RIOBk3TEY', 'ol2bo6pMMpBljt4guV', 'SPGZNqRm9Z2w7mCbbS', 'erneVwFtbiFsESJ78a'
                Source: 1.0.SOA.exe.670000.0.unpack, EkDSdjUU3XOeX1mifG/KQdWswIU0SugK6bcsw.csHigh entropy of concatenated method names: 'SRmANEQVky', 'S7vA7l6Qa9', 'f0lAXXNZh3', 'Ni3AIqTacX', 'MixA384yof', 'A4NAjLxosL', 'J26Aki02Ky', 'KokAgMLJpt', 'wpoAzyHQbI', 'l1e21lNcq5'
                Source: 1.0.SOA.exe.670000.0.unpack, evK7yhoaqmaiHxKHNB/pFpZxUK1oJ1rRo7k9d.csHigh entropy of concatenated method names: '.ctor', 'u7hhRaoxhR', 'Dispose', 'ahIhtTvewf', 'SrYhSsYNBO', 'L9MhHhObQ0', 'ng1hxc23QI', 'AFIhC5yH71', 'jEMhn31agr', 'Ab9TP9u40C'
                Source: 1.0.SOA.exe.670000.0.unpack, cXIOk3fTEYNWfummIF/oNQShNlZ0bhBaq9Ndq.csHigh entropy of concatenated method names: '.ctor', 'HnLXBElhJ', 'u8RIcOxm4', 'GU16oJ1rR', 'KG0397yab', 'M36jr8xoS', 'WhVkcUXb3', 'u6rg8bXPZ', 'kIhzrtmRF', 'GEwZ1mFAD0'
                Source: 1.0.SOA.exe.670000.0.unpack, xRxAg5ZS1IaHr0CufDV/AGQDmuZtAY2Ic1nWU8F.csHigh entropy of concatenated method names: '.ctor', 'yKXD1WCgEg', 'iBQDZd7fAU', 'qBXDhVd33C', 'LHfD8jfgV9', 'RWR5g9mr1Y', 'KBt5JHOSNK', 'l495zTYngw', 'bQSMROajXhFqNO1TO53', 'AipFWQayOuhIR78IeJC'
                Source: 1.0.SOA.exe.670000.0.unpack, odGVC9Dap7E2HJCVHB/l5C44U5EVbBo1ZLcOl.csHigh entropy of concatenated method names: 'LJBxRnKgyc', 'fbjxrttpEs', 'fFVxLRjW46', 'hAtx2kJaDb', 'YOrxJMhdF8', 'jU3xKHwDs1', 'wteZfDbOC8', 'yQWZDEcS3M', 's8AZd45FM1', '.ctor'
                Source: 1.0.SOA.exe.670000.0.unpack, ile37vZv5obHKjTQSQU/KZxYRqZMaGyXUHLDa0U.csHigh entropy of concatenated method names: 'u4TP5DkqL8', 'vC1PDLDg2T', 'A7TPOpZXp3', 'NX5PhxKfw3', 'CtsPqTywsO', 'u0TPAoJtwn', 'COwP26eLrU', 'sjZPphfmBv', 'HeePFEN8UC', 'Q1qP9lMuAv'
                Source: 1.0.SOA.exe.670000.0.unpack, hqMFjqZTFYUBeMW6mEh/faxnvcZ4oaXjKjPMnLk.csHigh entropy of concatenated method names: '.ctor', 'e7gfLCKDFm', 'NF9fVNsHgV', 'lU2fRhciyX', 'dsRftjqhAI', 'get_Multiline', 'set_Multiline', 'wgYP6lS062', 'HCrProAxFI', 'WydPbqDv1L'
                Source: 1.0.SOA.exe.670000.0.unpack, Ntp9JjbSFJJEtTbr06/bntxGmr38rW9hg5bW7.csHigh entropy of concatenated method names: '.ctor', 'yJeqDPMkPl', 'V2vqdM8GqZ', 'W8oqEy4Tnf', 'Hl3qKLta8J', 'qxEqoitchO', 'aRDg3xQLdEv98kX6A1y', 'UE6PFWQO9Zwq2J236Fh', 'nxelxaQ7PZSmynAY2KY', 'liLP4sQCd41moj2JnYW'
                Source: 1.0.SOA.exe.670000.0.unpack, ESjVLIZoIrlLeYRtQTj/JhjeGPZKjepRqEkTZs9.csHigh entropy of concatenated method names: '.ctor', 'bUoGmLXvcM', 'zYiGYMUCAQ', 'Cb6GOQNt1K', 'caTGh15m13', 'dj7G8n0AZp', 'I5SGqDPU9r', 'C8NGA28oZI', 'D4kG2QKLX0', 'CNkGpsSa7Q'
                Source: 1.0.SOA.exe.670000.0.unpack, E0uGhfZVCNOuCJwLq5L/YagVVlZLU4q1Jnwv2fD.csHigh entropy of concatenated method names: 'EFY5nfNH80', 'FSG5ep2q98', '.ctor', 'get_BackColor', 'set_BackColor', 'get_BackgroundImage', 'set_BackgroundImage', 'get_BackgroundImageLayout', 'set_BackgroundImageLayout', 'get_Font'
                Source: 1.0.SOA.exe.670000.0.unpack, wxm5s9ZRlwDRQwODg68/zc71DsZBxNAblAAxuQl.csHigh entropy of concatenated method names: '.ctor', 'lpbNzIRA1v', 'e5jy5F1Mdl', 'Jrg5X6doPZ', 'RY65IyT1w5', 'GetEditControl', 'GetEditedValue', 'LoadValues', 'SetEditStyle', 'GetEditStyle'
                Source: 1.0.SOA.exe.670000.0.unpack, UleDERZYNHygWjPuHwG/nyN2Q3ZmLOvixFvX59Y.csHigh entropy of concatenated method names: 'Dispose', 'WS0QVDXKwp', 'LMWQBCMSo8', 'uLaQR98R5E', 'VnPQtKW54P', 'get_MinimumSize', 'set_MinimumSize', 'g58avRYXC2', 'RF9a4dKvqM', 'GpkaWtmfex'
                Source: 1.0.SOA.exe.670000.0.unpack, sy4AKiZ86GXm37TX1Js/rDI7QHZhTysxRRHpJm1.csHigh entropy of concatenated method names: '.ctor', 'NJPFY7k1m6', 'IeAFvoLNba', 'cFnFTQVmAn', 'InitializeEditingControl', 'get_EditType', 'get_ValueType', 'get_DefaultNewRowValue', 'y33KY39OBhMRP8tPdf7', 'EAZdON9XGFedEKql69V'
                Source: 1.0.SOA.exe.670000.0.unpack, oLquStZOubXpvBYbc3S/akNg04ZZ67PQlecPd55.csHigh entropy of concatenated method names: 'jNw24LIxmh', 'Nf42TiECPy', 'uc62WJenyr', 'ah02uoBenK', 'fnL2LImEJf', 'TYA2VEdt4C', 'xkr2BgQFMc', 'Bdh2RPZoD4', 'D762tN1cX5', 'cqO2SpjImp'
                Source: 1.0.SOA.exe.670000.0.unpack, oyPyv4ZE2Fdh7oQfbNB/ebSkmGZdxkfSrked1c9.csHigh entropy of concatenated method names: 'VCcFNaoIr1', 'MmDF7q68rO', 'oZPFsE1R4F', 'o9NFX447FS', 'HsPFIkDYrU', 'get_Multiline', 'set_Multiline', 'get_Text', 'set_Text', '.ctor'
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeJump to dropped file
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLunJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLunJump to behavior

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion:

                barindex
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\Desktop\SOA.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 539Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 9319Jump to behavior
                Source: C:\Users\user\Desktop\SOA.exe TID: 3216Thread sleep time: -42114s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SOA.exe TID: 5036Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe TID: 5176Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe TID: 3456Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\SOA.exeThread delayed: delay time: 42114Jump to behavior
                Source: C:\Users\user\Desktop\SOA.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: RegSvcs.exe, 0000000C.00000002.510887208.0000000005C80000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: RegSvcs.exe, 0000000C.00000002.510887208.0000000005C80000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: RegSvcs.exe, 0000000C.00000002.510887208.0000000005C80000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: RegSvcs.exe, 0000000C.00000003.499098735.0000000005E32000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllnito
                Source: RegSvcs.exe, 0000000C.00000002.510887208.0000000005C80000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00DDA4F0 LdrInitializeThunk,12_2_00DDA4F0
                Source: C:\Users\user\Desktop\SOA.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Modifies the hosts fileShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                Source: RegSvcs.exe, 0000000C.00000002.504967900.00000000014B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: RegSvcs.exe, 0000000C.00000002.504967900.00000000014B0000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: RegSvcs.exe, 0000000C.00000002.504967900.00000000014B0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
                Source: RegSvcs.exe, 0000000C.00000002.504967900.00000000014B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
                Source: RegSvcs.exe, 0000000C.00000002.504967900.00000000014B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Users\user\Desktop\SOA.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings:

                barindex
                Modifies the hosts fileShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                Stealing of Sensitive Information:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.503431732.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.503431732.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5476, type: MEMORYSTR
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Tries to harvest and steal ftp login credentialsShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                Tries to steal Mail credentials (via file access)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 0000000C.00000002.505245817.0000000002A61000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5476, type: MEMORYSTR

                Remote Access Functionality:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.503431732.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.503431732.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5476, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Process Injection12File and Directory Permissions Modification1OS Credential Dumping2System Information Discovery114Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Disable or Modify Tools1Credentials in Registry1Query Registry1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerSecurity Software Discovery111SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing2LSA SecretsVirtualization/Sandbox Evasion131SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonTimestomp1Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading1DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion131Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection12/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                SOA.exe67%VirustotalBrowse
                SOA.exe54%MetadefenderBrowse
                SOA.exe82%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                SOA.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\NXLun\NXLun.exe0%MetadefenderBrowse
                C:\Users\user\AppData\Roaming\NXLun\NXLun.exe0%ReversingLabs

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                12.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/(30%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/jp/C30%Avira URL Cloudsafe
                https://sectigo.com/CPS00%URL Reputationsafe
                http://www.fonts.comc0%URL Reputationsafe
                http://www.tiro.comFQ0%Avira URL Cloudsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                http://www.tiro.com50%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/?30%Avira URL Cloudsafe
                http://www.sajatypeworks.commit0%Avira URL Cloudsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.tiro.comM0%Avira URL Cloudsafe
                http://hFHvHh.com0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://www.tiro.comtn0%Avira URL Cloudsafe
                https://api.ipify.org%$0%Avira URL Cloudsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://crl.usertrust.co10%Avira URL Cloudsafe
                http://www.founder.com.cn/cno0%URL Reputationsafe
                https://f5KiqD21KxI.com0%Avira URL Cloudsafe
                http://www.founder.c4/0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn10%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.tiro.comX0%Avira URL Cloudsafe
                http://www.sandoll.co.krP0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/ita0%Avira URL Cloudsafe
                http://ocsp.sectigo.com0A0%URL Reputationsafe
                https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                http://www.fonts.comn_0%Avira URL Cloudsafe
                http://www.sandoll.co.krll0%Avira URL Cloudsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.founder.com.cn/cnf0%URL Reputationsafe
                http://www.fonts.comx0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/Z30%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                us2.smtp.mailhostbox.com
                		208.91.198.143
                		truefalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#RegSvcs.exe, 0000000C.00000002.506726331.0000000002DC8000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://127.0.0.1:HTTP/1.1RegSvcs.exe, 0000000C.00000002.505245817.0000000002A61000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://DynDns.comDynDNSRegSvcs.exe, 0000000C.00000002.505245817.0000000002A61000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/(3SOA.exe, 00000001.00000003.242664877.00000000059C4000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/jp/C3SOA.exe, 00000001.00000003.242664877.00000000059C4000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://sectigo.com/CPS0RegSvcs.exe, 0000000C.00000002.506726331.0000000002DC8000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fonts.comcSOA.exe, 00000001.00000003.238090933.00000000059DB000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://us2.smtp.mailhostbox.comRegSvcs.exe, 0000000C.00000002.506726331.0000000002DC8000.00000004.00000001.sdmpfalse
                    		high
                    http://www.tiro.comFQSOA.exe, 00000001.00000003.238512936.00000000059DB000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegSvcs.exe, 0000000C.00000002.505245817.0000000002A61000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.tiro.com5SOA.exe, 00000001.00000003.238512936.00000000059DB000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/?3SOA.exe, 00000001.00000003.242664877.00000000059C4000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.sajatypeworks.commitSOA.exe, 00000001.00000003.237896138.00000000059DB000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.tiro.comSOA.exe, 00000001.00000003.238512936.00000000059DB000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.tiro.comMSOA.exe, 00000001.00000003.238456816.00000000059DB000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://hFHvHh.comRegSvcs.exe, 0000000C.00000002.505245817.0000000002A61000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.com/designersSOA.exe, 00000001.00000003.246491312.00000000059CD000.00000004.00000001.sdmp, SOA.exe, 00000001.00000003.245860903.00000000059C9000.00000004.00000001.sdmpfalse
                      		high
                      http://www.jiyu-kobo.co.jp/jp/SOA.exe, 00000001.00000003.242664877.00000000059C4000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.tiro.comtnSOA.exe, 00000001.00000003.238512936.00000000059DB000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://api.ipify.org%$RegSvcs.exe, 0000000C.00000002.505245817.0000000002A61000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.sajatypeworks.comSOA.exe, 00000001.00000003.237896138.00000000059DB000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crl.usertrust.co1RegSvcs.exe, 0000000C.00000002.511073100.0000000005DE0000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.founder.com.cn/cnoSOA.exe, 00000001.00000003.239721030.00000000059FD000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://f5KiqD21KxI.comRegSvcs.exe, 0000000C.00000002.506492165.0000000002D8B000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.505245817.0000000002A61000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.506900421.0000000002DF5000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.506706132.0000000002DC2000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.506871057.0000000002DEC000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.founder.c4/SOA.exe, 00000001.00000003.239742559.00000000059C4000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.founder.com.cn/cn1SOA.exe, 00000001.00000003.240176406.00000000059CB000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://fontfabrik.comSOA.exe, 00000001.00000003.238456816.00000000059DB000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cnSOA.exe, 00000001.00000003.239721030.00000000059FD000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.tiro.comXSOA.exe, 00000001.00000003.238512936.00000000059DB000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.sandoll.co.krPSOA.exe, 00000001.00000003.239198375.00000000059C6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/SOA.exe, 00000001.00000003.242664877.00000000059C4000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/itaSOA.exe, 00000001.00000003.242664877.00000000059C4000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com/designers8SOA.exe, 00000001.00000003.246491312.00000000059CD000.00000004.00000001.sdmpfalse
                        		high
                        http://ocsp.sectigo.com0ARegSvcs.exe, 0000000C.00000002.506726331.0000000002DC8000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.ipify.org%GETMozilla/5.0RegSvcs.exe, 0000000C.00000002.505245817.0000000002A61000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		low
                        http://www.fonts.comn_SOA.exe, 00000001.00000003.238171108.00000000059DB000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.sandoll.co.krllSOA.exe, 00000001.00000003.239198375.00000000059C6000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fonts.comSOA.exe, 00000001.00000003.238090933.00000000059DB000.00000004.00000001.sdmpfalse
                          		high
                          http://www.sandoll.co.krSOA.exe, 00000001.00000003.239198375.00000000059C6000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cnfSOA.exe, 00000001.00000003.240176406.00000000059CB000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fonts.comxSOA.exe, 00000001.00000003.238171108.00000000059DB000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipRegSvcs.exe, 0000000C.00000002.503431732.0000000000402000.00000040.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/jp/Z3SOA.exe, 00000001.00000003.242664877.00000000059C4000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public

                          IPDomainCountryFlagASNASN NameMalicious
                          208.91.198.143
                          		us2.smtp.mailhostbox.comUnited States
                          		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                          General Information

                          Joe Sandbox Version:33.0.0 White Diamond
                          Analysis ID:458820
                          Start date:03.08.2021
                          Start time:19:18:35
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 9m 32s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Sample file name:SOA.exe
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:29
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.adwa.spyw.evad.winEXE@7/6@1/1
                          EGA Information:Failed
                          HDC Information:
                          • Successful, ratio: 0.4% (good quality ratio 0.4%)
                          • Quality average: 100%
                          • Quality standard deviation: 0%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 44
                          • Number of non-executed functions: 5
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Found application associated with file extension: .exe
                          Warnings:
                          Show All
                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 168.61.161.212, 23.211.6.115, 23.211.4.86, 20.50.102.62, 173.222.108.226, 173.222.108.210, 40.112.88.60, 51.103.5.159, 80.67.82.235, 80.67.82.211, 20.49.157.6
                          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          19:19:53API Interceptor1x Sleep call for process: SOA.exe modified
                          19:20:03API Interceptor650x Sleep call for process: RegSvcs.exe modified
                          19:20:12AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NXLun C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                          19:20:20AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NXLun C:\Users\user\AppData\Roaming\NXLun\NXLun.exe

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          208.91.198.143Invoice.exeGet hashmaliciousBrowse
                            Scan#0068-46c3367.exeGet hashmaliciousBrowse
                              IMG-20210802-WA0587-085.exeGet hashmaliciousBrowse
                                IMG-20210802-WA0587-087.exeGet hashmaliciousBrowse
                                  order.PDF.exeGet hashmaliciousBrowse
                                    PURCHASE ORDER-PO-S.L 45675675.pdf.exeGet hashmaliciousBrowse
                                      TT COPY.exeGet hashmaliciousBrowse
                                        Pedido urgente.exeGet hashmaliciousBrowse
                                          SecuriteInfo.com.Variant.Zusy.394472.4088.exeGet hashmaliciousBrowse
                                            JMIRLlEMHBPEEQvrxjqCV.exeGet hashmaliciousBrowse
                                              Aditi Tiwari Resume.pdf.exeGet hashmaliciousBrowse
                                                NEW RFQ FROM WEB AFRITECH.docGet hashmaliciousBrowse
                                                  Shipment documents pdf.exeGet hashmaliciousBrowse
                                                    REMITTANCE COPY.exeGet hashmaliciousBrowse
                                                      ok1.exeGet hashmaliciousBrowse
                                                        4378e6769c14e63e1b385e955ee06b93.exeGet hashmaliciousBrowse
                                                          HSBC PAYMENT ADVICE.exeGet hashmaliciousBrowse
                                                            Doc-67789845678765670987655.exeGet hashmaliciousBrowse
                                                              Doc-67789845678765670987654.exeGet hashmaliciousBrowse
                                                                invoice and payment.docGet hashmaliciousBrowse

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  us2.smtp.mailhostbox.comMJLkaPZomUolseU.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.225
                                                                  SecuriteInfo.com.Trojan.MSIL.Kryptik.56a80396.11710.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.224
                                                                  Invoice.exeGet hashmaliciousBrowse
                                                                  • 208.91.198.143
                                                                  Scan#0068-46c3367.exeGet hashmaliciousBrowse
                                                                  • 208.91.198.143
                                                                  Scan#0068-46c3366.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.223
                                                                  IMG-20210802-WA0587-085.exeGet hashmaliciousBrowse
                                                                  • 208.91.198.143
                                                                  IMG-20210802-WA0587-087.exeGet hashmaliciousBrowse
                                                                  • 208.91.198.143
                                                                  Quotation.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.225
                                                                  PURCHASE ORDER PO09377 _093640_9307355_264378_88479_0E974.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.225
                                                                  order.PDF.exeGet hashmaliciousBrowse
                                                                  • 208.91.198.143
                                                                  RFQ #7696679TTR6F.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.224
                                                                  Waybill Doc_027942941.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.225
                                                                  Confirmaci#U00f3n de pago .exeGet hashmaliciousBrowse
                                                                  • 208.91.199.224
                                                                  oBNvb4c6bg.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.224
                                                                  TVz86np48Z.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.223
                                                                  Current Vendor Payment Application .docGet hashmaliciousBrowse
                                                                  • 208.91.199.224
                                                                  XiAn Sunnstatement 27-07-2021 pdf.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.223
                                                                  PURCHASE ORDER-PO-S.L 45675675.pdf.exeGet hashmaliciousBrowse
                                                                  • 208.91.198.143
                                                                  QAP 367893738 Ed 7 pcs.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.224
                                                                  Remittance Advise.docGet hashmaliciousBrowse
                                                                  • 208.91.199.225

                                                                  ASN

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  PUBLIC-DOMAIN-REGISTRYUSQUOTATION LIST FOR NEW ORDER.exeGet hashmaliciousBrowse
                                                                  • 204.11.58.233
                                                                  MJLkaPZomUolseU.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.225
                                                                  SecuriteInfo.com.Trojan.MSIL.Kryptik.56a80396.11710.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.224
                                                                  Invoice.exeGet hashmaliciousBrowse
                                                                  • 208.91.198.143
                                                                  Scan#0068-46c3367.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.224
                                                                  Scan#0068-46c3366.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.223
                                                                  bin.exeGet hashmaliciousBrowse
                                                                  • 119.18.54.122
                                                                  IMG-20210802-WA0587-085.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.224
                                                                  IMG-20210802-WA0587-087.exeGet hashmaliciousBrowse
                                                                  • 208.91.198.143
                                                                  Quotation.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.224
                                                                  QUOTE 04202021.exeGet hashmaliciousBrowse
                                                                  • 103.21.58.16
                                                                  PURCHASE ORDER PO09377 _093640_9307355_264378_88479_0E974.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.225
                                                                  order.PDF.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.223
                                                                  RFQ #7696679TTR6F.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.224
                                                                  Waybill Doc_027942941.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.225
                                                                  Confirmaci#U00f3n de pago .exeGet hashmaliciousBrowse
                                                                  • 208.91.199.224
                                                                  triage_dropped_file.exeGet hashmaliciousBrowse
                                                                  • 162.222.226.11
                                                                  oBNvb4c6bg.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.224
                                                                  TVz86np48Z.exeGet hashmaliciousBrowse
                                                                  • 208.91.199.223
                                                                  Current Vendor Payment Application .docGet hashmaliciousBrowse
                                                                  • 208.91.199.224

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  C:\Users\user\AppData\Roaming\NXLun\NXLun.exeepda.exeGet hashmaliciousBrowse
                                                                    POSH service quotation..exeGet hashmaliciousBrowse
                                                                      SWIFT REF GO 20210730SFT21020137.exeGet hashmaliciousBrowse
                                                                        HJKcEjrUuzYMV9X.exeGet hashmaliciousBrowse
                                                                          est pda.exeGet hashmaliciousBrowse
                                                                            BL COPY.exeGet hashmaliciousBrowse
                                                                              DOC.exeGet hashmaliciousBrowse
                                                                                statement.exeGet hashmaliciousBrowse
                                                                                  PO-K-128 IAN 340854.exeGet hashmaliciousBrowse
                                                                                    PO#4500484210.exeGet hashmaliciousBrowse
                                                                                      Invoice no SS21-22185.exeGet hashmaliciousBrowse
                                                                                        SQycD6hL4Y.exeGet hashmaliciousBrowse
                                                                                          Aggiornamento ordine Quantit#U00e0__BFM Srl 117-28050-01.exeGet hashmaliciousBrowse
                                                                                            PAYMENT INSTRUCTIONS COPY.exeGet hashmaliciousBrowse
                                                                                              FINAL SHIPPING DOC..exeGet hashmaliciousBrowse
                                                                                                Spare Parts Requisition-003,004.exeGet hashmaliciousBrowse
                                                                                                  PO NOAB1088 ALEMO INDUSTRIAL ENGINEERS.exeGet hashmaliciousBrowse
                                                                                                    Order List.exeGet hashmaliciousBrowse
                                                                                                      PAYMENT BANK INSTRUCTIONS COPY.exeGet hashmaliciousBrowse
                                                                                                        PO.exeGet hashmaliciousBrowse

                                                                                                          Created / dropped Files

                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NXLun.exe.log
                                                                                                          Process:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:modified
                                                                                                          Size (bytes):142
                                                                                                          Entropy (8bit):5.090621108356562
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                                                          MD5:8C0458BB9EA02D50565175E38D577E35
                                                                                                          SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                                                          SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                                                          SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                                                          Malicious:false
                                                                                                          Reputation:moderate, very likely benign file
                                                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SOA.exe.log
                                                                                                          Process:C:\Users\user\Desktop\SOA.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1216
                                                                                                          Entropy (8bit):5.355304211458859
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                                                                          MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                                                                          SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                                                                          SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                                                                          SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                                                                          Malicious:true
                                                                                                          Reputation:high, very likely benign file
                                                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                                                          C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):45152
                                                                                                          Entropy (8bit):6.149629800481177
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
                                                                                                          MD5:2867A3817C9245F7CF518524DFD18F28
                                                                                                          SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                                                                                          SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                                                                                          SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: epda.exe, Detection: malicious, Browse
                                                                                                          • Filename: POSH service quotation..exe, Detection: malicious, Browse
                                                                                                          • Filename: SWIFT REF GO 20210730SFT21020137.exe, Detection: malicious, Browse
                                                                                                          • Filename: HJKcEjrUuzYMV9X.exe, Detection: malicious, Browse
                                                                                                          • Filename: est pda.exe, Detection: malicious, Browse
                                                                                                          • Filename: BL COPY.exe, Detection: malicious, Browse
                                                                                                          • Filename: DOC.exe, Detection: malicious, Browse
                                                                                                          • Filename: statement.exe, Detection: malicious, Browse
                                                                                                          • Filename: PO-K-128 IAN 340854.exe, Detection: malicious, Browse
                                                                                                          • Filename: PO#4500484210.exe, Detection: malicious, Browse
                                                                                                          • Filename: Invoice no SS21-22185.exe, Detection: malicious, Browse
                                                                                                          • Filename: SQycD6hL4Y.exe, Detection: malicious, Browse
                                                                                                          • Filename: Aggiornamento ordine Quantit#U00e0__BFM Srl 117-28050-01.exe, Detection: malicious, Browse
                                                                                                          • Filename: PAYMENT INSTRUCTIONS COPY.exe, Detection: malicious, Browse
                                                                                                          • Filename: FINAL SHIPPING DOC..exe, Detection: malicious, Browse
                                                                                                          • Filename: Spare Parts Requisition-003,004.exe, Detection: malicious, Browse
                                                                                                          • Filename: PO NOAB1088 ALEMO INDUSTRIAL ENGINEERS.exe, Detection: malicious, Browse
                                                                                                          • Filename: Order List.exe, Detection: malicious, Browse
                                                                                                          • Filename: PAYMENT BANK INSTRUCTIONS COPY.exe, Detection: malicious, Browse
                                                                                                          • Filename: PO.exe, Detection: malicious, Browse
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
                                                                                                          C:\Windows\System32\drivers\etc\hosts
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:modified
                                                                                                          Size (bytes):11
                                                                                                          Entropy (8bit):2.663532754804255
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:iLE:iLE
                                                                                                          MD5:B24D295C1F84ECBFB566103374FB91C5
                                                                                                          SHA1:6A750D3F8B45C240637332071D34B403FA1FF55A
                                                                                                          SHA-256:4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
                                                                                                          SHA-512:9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA
                                                                                                          Malicious:true
                                                                                                          Preview: ..127.0.0.1
                                                                                                          \Device\ConDrv
                                                                                                          Process:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1141
                                                                                                          Entropy (8bit):4.44831826838854
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
                                                                                                          MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
                                                                                                          SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
                                                                                                          SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
                                                                                                          SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
                                                                                                          Malicious:false
                                                                                                          Preview: Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Entropy (8bit):7.205234682340215
                                                                                                          TrID:
                                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                          • Windows Screen Saver (13104/52) 0.07%
                                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                          File name:SOA.exe
                                                                                                          File size:1041920
                                                                                                          MD5:5fbbec81658402ee0e3cac046c268c2d
                                                                                                          SHA1:af06f581f042f5102bd375bf3632b462bef144d9
                                                                                                          SHA256:deeaa200547c6ffa325f662ec9b9ddcf0cf127826da37c2e5c514be84da26e88
                                                                                                          SHA512:2a6ecee547ce20f0fec92e7dca62dd34b34d4f77209df3cc1e6a1ee470f7f5f5e91b39b15059bedab1537dac3b0fde9b852e4c31f18e28f176cf0b69d48b9de0
                                                                                                          SSDEEP:12288:JgKyaglu6KaOUkMUweV5/d3bA8mkxlGah9+3GXvZ3nqKO1HnJGIC+7BgXfHuQ3nD:OKtaO2UJ5/d3Lmqbh025q3zLtIf/3R5
                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....l.............................n.... ........@.. .......................@............@................................

                                                                                                          File Icon

                                                                                                          Icon Hash:00828e8e8686b000

                                                                                                          Static PE Info

                                                                                                          General

                                                                                                          Entrypoint:0x4ffb6e
                                                                                                          Entrypoint Section:.text
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x400000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                          Time Stamp:0x986C96A7 [Fri Jan 13 20:08:07 2051 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:v4.0.30319
                                                                                                          OS Version Major:4
                                                                                                          OS Version Minor:0
                                                                                                          File Version Major:4
                                                                                                          File Version Minor:0
                                                                                                          Subsystem Version Major:4
                                                                                                          Subsystem Version Minor:0
                                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                          Entrypoint Preview

                                                                                                          Instruction
                                                                                                          jmp dword ptr [00402000h]
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al

                                                                                                          Data Directories

                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xffb200x4b.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1000000x5d8.rsrc
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1020000xc.reloc
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                          Sections

                                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          .text0x20000xfdb740xfdc00False0.697750538793data7.21124582486IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                          .rsrc0x1000000x5d80x600False0.429036458333data4.14205522772IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .reloc0x1020000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                          Resources

                                                                                                          NameRVASizeTypeLanguageCountry
                                                                                                          RT_VERSION0x1000a00x34cdata
                                                                                                          RT_MANIFEST0x1003ec0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                          Imports

                                                                                                          DLLImport
                                                                                                          mscoree.dll_CorExeMain

                                                                                                          Version Infos

                                                                                                          DescriptionData
                                                                                                          Translation0x0000 0x04b0
                                                                                                          LegalCopyrightCopyright 2019
                                                                                                          Assembly Version1.0.0.0
                                                                                                          InternalNameUmAlQuraCalend.exe
                                                                                                          FileVersion1.0.0.0
                                                                                                          CompanyName
                                                                                                          LegalTrademarks
                                                                                                          Comments
                                                                                                          ProductNameControlLibrary
                                                                                                          ProductVersion1.0.0.0
                                                                                                          FileDescriptionControlLibrary
                                                                                                          OriginalFilenameUmAlQuraCalend.exe

                                                                                                          Network Behavior

                                                                                                          Network Port Distribution

                                                                                                          TCP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Aug 3, 2021 19:21:30.706737995 CEST49728587192.168.2.5208.91.198.143
                                                                                                          Aug 3, 2021 19:21:30.857384920 CEST58749728208.91.198.143192.168.2.5
                                                                                                          Aug 3, 2021 19:21:30.861046076 CEST49728587192.168.2.5208.91.198.143
                                                                                                          Aug 3, 2021 19:21:31.085036993 CEST58749728208.91.198.143192.168.2.5
                                                                                                          Aug 3, 2021 19:21:31.085583925 CEST49728587192.168.2.5208.91.198.143
                                                                                                          Aug 3, 2021 19:21:31.234632015 CEST58749728208.91.198.143192.168.2.5
                                                                                                          Aug 3, 2021 19:21:31.234668970 CEST58749728208.91.198.143192.168.2.5
                                                                                                          Aug 3, 2021 19:21:31.235749960 CEST49728587192.168.2.5208.91.198.143
                                                                                                          Aug 3, 2021 19:21:31.384911060 CEST58749728208.91.198.143192.168.2.5
                                                                                                          Aug 3, 2021 19:21:31.420610905 CEST49728587192.168.2.5208.91.198.143
                                                                                                          Aug 3, 2021 19:21:31.570003986 CEST58749728208.91.198.143192.168.2.5
                                                                                                          Aug 3, 2021 19:21:31.570041895 CEST58749728208.91.198.143192.168.2.5
                                                                                                          Aug 3, 2021 19:21:31.570066929 CEST58749728208.91.198.143192.168.2.5
                                                                                                          Aug 3, 2021 19:21:31.570084095 CEST58749728208.91.198.143192.168.2.5
                                                                                                          Aug 3, 2021 19:21:31.570106983 CEST58749728208.91.198.143192.168.2.5
                                                                                                          Aug 3, 2021 19:21:31.570238113 CEST49728587192.168.2.5208.91.198.143
                                                                                                          Aug 3, 2021 19:21:31.719306946 CEST58749728208.91.198.143192.168.2.5
                                                                                                          Aug 3, 2021 19:21:31.727755070 CEST49728587192.168.2.5208.91.198.143
                                                                                                          Aug 3, 2021 19:21:31.881616116 CEST58749728208.91.198.143192.168.2.5
                                                                                                          Aug 3, 2021 19:21:31.922703028 CEST49728587192.168.2.5208.91.198.143
                                                                                                          Aug 3, 2021 19:21:31.966753960 CEST49728587192.168.2.5208.91.198.143
                                                                                                          Aug 3, 2021 19:21:32.116055965 CEST58749728208.91.198.143192.168.2.5
                                                                                                          Aug 3, 2021 19:21:32.126715899 CEST49728587192.168.2.5208.91.198.143
                                                                                                          Aug 3, 2021 19:21:32.276449919 CEST58749728208.91.198.143192.168.2.5
                                                                                                          Aug 3, 2021 19:21:32.277735949 CEST49728587192.168.2.5208.91.198.143
                                                                                                          Aug 3, 2021 19:21:32.428767920 CEST58749728208.91.198.143192.168.2.5
                                                                                                          Aug 3, 2021 19:21:32.430097103 CEST49728587192.168.2.5208.91.198.143
                                                                                                          Aug 3, 2021 19:21:32.580177069 CEST58749728208.91.198.143192.168.2.5
                                                                                                          Aug 3, 2021 19:21:32.580719948 CEST49728587192.168.2.5208.91.198.143
                                                                                                          Aug 3, 2021 19:21:32.737226009 CEST58749728208.91.198.143192.168.2.5
                                                                                                          Aug 3, 2021 19:21:32.737736940 CEST49728587192.168.2.5208.91.198.143
                                                                                                          Aug 3, 2021 19:21:32.887079954 CEST58749728208.91.198.143192.168.2.5
                                                                                                          Aug 3, 2021 19:21:32.888782978 CEST49728587192.168.2.5208.91.198.143
                                                                                                          Aug 3, 2021 19:21:32.888993979 CEST49728587192.168.2.5208.91.198.143
                                                                                                          Aug 3, 2021 19:21:32.889950037 CEST49728587192.168.2.5208.91.198.143
                                                                                                          Aug 3, 2021 19:21:32.890078068 CEST49728587192.168.2.5208.91.198.143
                                                                                                          Aug 3, 2021 19:21:33.038342953 CEST58749728208.91.198.143192.168.2.5
                                                                                                          Aug 3, 2021 19:21:33.039258957 CEST58749728208.91.198.143192.168.2.5
                                                                                                          Aug 3, 2021 19:21:33.133491993 CEST58749728208.91.198.143192.168.2.5
                                                                                                          Aug 3, 2021 19:21:33.188472986 CEST49728587192.168.2.5208.91.198.143

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Aug 3, 2021 19:19:21.173340082 CEST53495578.8.8.8192.168.2.5
                                                                                                          Aug 3, 2021 19:19:21.994148970 CEST6173353192.168.2.58.8.8.8
                                                                                                          Aug 3, 2021 19:19:22.037539959 CEST53617338.8.8.8192.168.2.5
                                                                                                          Aug 3, 2021 19:19:22.852190971 CEST6544753192.168.2.58.8.8.8
                                                                                                          Aug 3, 2021 19:19:22.889144897 CEST53654478.8.8.8192.168.2.5
                                                                                                          Aug 3, 2021 19:19:24.213367939 CEST5244153192.168.2.58.8.8.8
                                                                                                          Aug 3, 2021 19:19:24.238931894 CEST53524418.8.8.8192.168.2.5
                                                                                                          Aug 3, 2021 19:19:25.204054117 CEST6217653192.168.2.58.8.8.8
                                                                                                          Aug 3, 2021 19:19:25.235172033 CEST53621768.8.8.8192.168.2.5
                                                                                                          Aug 3, 2021 19:19:26.936831951 CEST5959653192.168.2.58.8.8.8
                                                                                                          Aug 3, 2021 19:19:26.961796045 CEST53595968.8.8.8192.168.2.5
                                                                                                          Aug 3, 2021 19:19:27.889092922 CEST6529653192.168.2.58.8.8.8
                                                                                                          Aug 3, 2021 19:19:27.922369003 CEST53652968.8.8.8192.168.2.5
                                                                                                          Aug 3, 2021 19:19:28.906052113 CEST6318353192.168.2.58.8.8.8
                                                                                                          Aug 3, 2021 19:19:28.933672905 CEST53631838.8.8.8192.168.2.5
                                                                                                          Aug 3, 2021 19:19:30.652527094 CEST6015153192.168.2.58.8.8.8
                                                                                                          Aug 3, 2021 19:19:30.680413008 CEST53601518.8.8.8192.168.2.5
                                                                                                          Aug 3, 2021 19:19:32.011164904 CEST5696953192.168.2.58.8.8.8
                                                                                                          Aug 3, 2021 19:19:32.036238909 CEST53569698.8.8.8192.168.2.5
                                                                                                          Aug 3, 2021 19:19:43.869920969 CEST5516153192.168.2.58.8.8.8
                                                                                                          Aug 3, 2021 19:19:43.903959990 CEST53551618.8.8.8192.168.2.5
                                                                                                          Aug 3, 2021 19:19:55.394589901 CEST5475753192.168.2.58.8.8.8
                                                                                                          Aug 3, 2021 19:19:55.427367926 CEST53547578.8.8.8192.168.2.5
                                                                                                          Aug 3, 2021 19:20:14.524676085 CEST4999253192.168.2.58.8.8.8
                                                                                                          Aug 3, 2021 19:20:14.564914942 CEST53499928.8.8.8192.168.2.5
                                                                                                          Aug 3, 2021 19:20:15.603499889 CEST6007553192.168.2.58.8.8.8
                                                                                                          Aug 3, 2021 19:20:15.651674986 CEST53600758.8.8.8192.168.2.5
                                                                                                          Aug 3, 2021 19:20:15.888921022 CEST5501653192.168.2.58.8.8.8
                                                                                                          Aug 3, 2021 19:20:15.921649933 CEST53550168.8.8.8192.168.2.5
                                                                                                          Aug 3, 2021 19:20:24.865248919 CEST6434553192.168.2.58.8.8.8
                                                                                                          Aug 3, 2021 19:20:24.899666071 CEST53643458.8.8.8192.168.2.5
                                                                                                          Aug 3, 2021 19:21:00.630386114 CEST5712853192.168.2.58.8.8.8
                                                                                                          Aug 3, 2021 19:21:00.673729897 CEST53571288.8.8.8192.168.2.5
                                                                                                          Aug 3, 2021 19:21:02.897896051 CEST5479153192.168.2.58.8.8.8
                                                                                                          Aug 3, 2021 19:21:02.944967031 CEST53547918.8.8.8192.168.2.5
                                                                                                          Aug 3, 2021 19:21:30.640806913 CEST5046353192.168.2.58.8.8.8
                                                                                                          Aug 3, 2021 19:21:30.676964045 CEST53504638.8.8.8192.168.2.5

                                                                                                          DNS Queries

                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                          Aug 3, 2021 19:21:30.640806913 CEST192.168.2.58.8.8.80x7fc4Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)

                                                                                                          DNS Answers

                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                          Aug 3, 2021 19:21:30.676964045 CEST8.8.8.8192.168.2.50x7fc4No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                                          Aug 3, 2021 19:21:30.676964045 CEST8.8.8.8192.168.2.50x7fc4No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                                          Aug 3, 2021 19:21:30.676964045 CEST8.8.8.8192.168.2.50x7fc4No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                                          Aug 3, 2021 19:21:30.676964045 CEST8.8.8.8192.168.2.50x7fc4No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)

                                                                                                          SMTP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                          Aug 3, 2021 19:21:31.085036993 CEST58749728208.91.198.143192.168.2.5220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                          Aug 3, 2021 19:21:31.085583925 CEST49728587192.168.2.5208.91.198.143EHLO 358075
                                                                                                          Aug 3, 2021 19:21:31.234668970 CEST58749728208.91.198.143192.168.2.5250-us2.outbound.mailhostbox.com
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 41648128
                                                                                                          250-VRFY
                                                                                                          250-ETRN
                                                                                                          250-STARTTLS
                                                                                                          250-AUTH PLAIN LOGIN
                                                                                                          250-AUTH=PLAIN LOGIN
                                                                                                          250-ENHANCEDSTATUSCODES
                                                                                                          250-8BITMIME
                                                                                                          250 DSN
                                                                                                          Aug 3, 2021 19:21:31.235749960 CEST49728587192.168.2.5208.91.198.143STARTTLS
                                                                                                          Aug 3, 2021 19:21:31.384911060 CEST58749728208.91.198.143192.168.2.5220 2.0.0 Ready to start TLS

                                                                                                          Code Manipulations

                                                                                                          Statistics

                                                                                                          CPU Usage

                                                                                                          Click to jump to process

                                                                                                          Memory Usage

                                                                                                          Click to jump to process

                                                                                                          High Level Behavior Distribution

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          Analysis Process: SOA.exe PID: 160 Parent PID: 5552

                                                                                                          General

                                                                                                          Start time:19:19:29
                                                                                                          Start date:03/08/2021
                                                                                                          Path:C:\Users\user\Desktop\SOA.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user\Desktop\SOA.exe'
                                                                                                          Imagebase:0x670000
                                                                                                          File size:1041920 bytes
                                                                                                          MD5 hash:5FBBEC81658402EE0E3CAC046C268C2D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Reputation:low

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: RegSvcs.exe PID: 5476 Parent PID: 160

                                                                                                          General

                                                                                                          Start time:19:19:54
                                                                                                          Start date:03/08/2021
                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          Imagebase:0x7b0000
                                                                                                          File size:45152 bytes
                                                                                                          MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.503431732.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000C.00000002.503431732.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.505245817.0000000002A61000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          Reputation:high

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: NXLun.exe PID: 5092 Parent PID: 3472

                                                                                                          General

                                                                                                          Start time:19:20:20
                                                                                                          Start date:03/08/2021
                                                                                                          Path:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                                                                                                          Imagebase:0x5c0000
                                                                                                          File size:45152 bytes
                                                                                                          MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 0%, Metadefender, Browse
                                                                                                          • Detection: 0%, ReversingLabs
                                                                                                          Reputation:high

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: conhost.exe PID: 4664 Parent PID: 5092

                                                                                                          General

                                                                                                          Start time:19:20:21
                                                                                                          Start date:03/08/2021
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff7ecfc0000
                                                                                                          File size:625664 bytes
                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: NXLun.exe PID: 988 Parent PID: 3472

                                                                                                          General

                                                                                                          Start time:19:20:28
                                                                                                          Start date:03/08/2021
                                                                                                          Path:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                                                                                                          Imagebase:0xe50000
                                                                                                          File size:45152 bytes
                                                                                                          MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Reputation:high

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: conhost.exe PID: 4500 Parent PID: 988

                                                                                                          General

                                                                                                          Start time:19:20:29
                                                                                                          Start date:03/08/2021
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff7ecfc0000
                                                                                                          File size:625664 bytes
                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Chronological Activities

                                                                                                          Disassembly

                                                                                                          Code Analysis

                                                                                                          Reset < >

                                                                                                            Analysis Process: RegSvcs.exe PID: 5476 Parent PID: 160 RegSvcs.exeCOMMON

                                                                                                            Executed Functions

                                                                                                            Function 00DD1F88, Relevance: 2.9, Instructions: 2898COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.504262733.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 13f7455927a1f46fcaa1e884b5f09c4b5abeb6eb35f23cc0255e70b109f84fdb
                                                                                                            • Instruction ID: 204405a8d1b9e22f2e3f17a9e71a3e48690990d2fc247a27cff8493cdd9437d5
                                                                                                            • Opcode Fuzzy Hash: 13f7455927a1f46fcaa1e884b5f09c4b5abeb6eb35f23cc0255e70b109f84fdb
                                                                                                            • Instruction Fuzzy Hash: 1A630B30D10B198ECB10EF68C884A99F7B1FF99300F15D69AE45877221EB70AAD5CF91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00DD3023, Relevance: 2.7, Instructions: 2740COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.504262733.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e47e2f15bbfe6770c72b0bc8ea2567e18f5c66070b18bedfbc9a6f16f6b95be0
                                                                                                            • Instruction ID: 915525ce627ccc2c6056b32387aca3435e048726c5767f424621a977e25d0124
                                                                                                            • Opcode Fuzzy Hash: e47e2f15bbfe6770c72b0bc8ea2567e18f5c66070b18bedfbc9a6f16f6b95be0
                                                                                                            • Instruction Fuzzy Hash: D8531C30D10B198ECB10EF68C884699F7B1FF95310F15D69AE458BB221EB70AAD5CF91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00DDA4F0, Relevance: 2.1, APIs: 1, Instructions: 590COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.504262733.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9e6f8a86d3ffad8a056516d7fe9ca9e976dadecf8ce540a854be694acb8f146b
                                                                                                            • Instruction ID: 39144d8b075541fd7916d543e3215d6f8e388436324b796edd6f235a56a43b34
                                                                                                            • Opcode Fuzzy Hash: 9e6f8a86d3ffad8a056516d7fe9ca9e976dadecf8ce540a854be694acb8f146b
                                                                                                            • Instruction Fuzzy Hash: D522C030B002058FCB14EB78D5586AEB7F2AF85344F14856AD406DB395EF79DC46CBA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00DD6B68, Relevance: .6, Instructions: 610COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.504262733.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3ac516c06062d660cd8af534ceb88ad2d7ad11ff47458784ca7bbdb94363026b
                                                                                                            • Instruction ID: 2bfb62c00a3771a83613332971d71728ce1214ed91bb39d7ef20c46516b641a5
                                                                                                            • Opcode Fuzzy Hash: 3ac516c06062d660cd8af534ceb88ad2d7ad11ff47458784ca7bbdb94363026b
                                                                                                            • Instruction Fuzzy Hash: 8422A030B043549FDB14DB78C854B6EBBF2AF89304F1985AAE405EB392DB35DC458BA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00DD0820, Relevance: .4, Instructions: 402COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.504262733.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 86ff6ceab9859f43c93fead89038d130b0547ceda74046d6cd95709418294053
                                                                                                            • Instruction ID: ba144664c2eceb9de2478cdb9a765bd2da6a8ea420614b60a6e956897c6932ef
                                                                                                            • Opcode Fuzzy Hash: 86ff6ceab9859f43c93fead89038d130b0547ceda74046d6cd95709418294053
                                                                                                            • Instruction Fuzzy Hash: C9F17F30A002199FCB14DFB8C98879DBBF2AFC4314F24856AD415EB795DB35EC428BA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 02A246B0, Relevance: .3, Instructions: 340COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.505152609.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 25f41895f9fe771ec69fecad72838594113a1c78b4b2a80b383013c7a7406619
                                                                                                            • Instruction ID: 1e090aa630f68789574b323c55091ac024355ef55084c41ef1ecceca433e8bf1
                                                                                                            • Opcode Fuzzy Hash: 25f41895f9fe771ec69fecad72838594113a1c78b4b2a80b383013c7a7406619
                                                                                                            • Instruction Fuzzy Hash: 03E178F1D157898FE712CF64F8481893BB1FB86318F118219D1616B2E2D7BE186ECB94
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 02A247A0, Relevance: .3, Instructions: 315COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.505152609.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 47dc1d25df748fd0bf73a170ac2564aeb5437f57d1d4febdd9a5c2b9c06fadae
                                                                                                            • Instruction ID: 66c8798ce579b846a9fe083ee08c4f60491beef2669271c78726343fc0f6a692
                                                                                                            • Opcode Fuzzy Hash: 47dc1d25df748fd0bf73a170ac2564aeb5437f57d1d4febdd9a5c2b9c06fadae
                                                                                                            • Instruction Fuzzy Hash: A312BFF0D1174A8BE361CF65F9481993BA1F785328F508208D2612B2E1D7BE19BECF94
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 02A26B50, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 02A26BB0
                                                                                                            • GetCurrentThread.KERNEL32 ref: 02A26BED
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 02A26C2A
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 02A26C83
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.505152609.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Current$ProcessThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 2063062207-0
                                                                                                            • Opcode ID: 2f7685b09292ca84490301286d10f732e66431ac0c829b6f9068e60fe4eaec47
                                                                                                            • Instruction ID: 0387c8b27e71962a6e81ded4b4f72a19c6b5d574ffa6d75cd249055b83d2161e
                                                                                                            • Opcode Fuzzy Hash: 2f7685b09292ca84490301286d10f732e66431ac0c829b6f9068e60fe4eaec47
                                                                                                            • Instruction Fuzzy Hash: 815154B0A012498FDB14DFA9D688BDEBBF5FF49318F248459E409A7350DB34A848CF61
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00DDAAC0, Relevance: 1.6, APIs: 1, Instructions: 138libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.504262733.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: InitializeThunk
                                                                                                            • String ID:
                                                                                                            • API String ID: 2994545307-0
                                                                                                            • Opcode ID: 83836bfbce4f1b3fcbda7d70035460167dbccb7f5d02d6f8144c47b312ed2bb2
                                                                                                            • Instruction ID: 73e8b4a63ea66d7040d2b9dc8cbd5448376de7cb0a88bc7435ac6473c06199f8
                                                                                                            • Opcode Fuzzy Hash: 83836bfbce4f1b3fcbda7d70035460167dbccb7f5d02d6f8144c47b312ed2bb2
                                                                                                            • Instruction Fuzzy Hash: C1419431B002059FCB14EF78D849AAEB7B6FF84340F14892AE516AB355DF75D8058BA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00DDCBF8, Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.504262733.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 17ab6506e7cf3f19151c85975c13a71d6be516e37f117bf19c9a55feed58b147
                                                                                                            • Instruction ID: 20e1772f0746c5b3dd6d55b1716a2856427a4b98a920273eca3f26afcfd70e6f
                                                                                                            • Opcode Fuzzy Hash: 17ab6506e7cf3f19151c85975c13a71d6be516e37f117bf19c9a55feed58b147
                                                                                                            • Instruction Fuzzy Hash: 9B41E172E143558FCB04CFA9D8046DEBBB1AF89314F09856BD508A7741EB789845CBE1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 02A25184, Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02A252A2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.505152609.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: CreateWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 716092398-0
                                                                                                            • Opcode ID: 6fd480559935362d1823f94fe9b25489d78a157019db081f9788a61443be73e7
                                                                                                            • Instruction ID: 4890101ca74594ae4ffbeb8a9475689a1899fef4c2cc5557722fb31e70b4fbb9
                                                                                                            • Opcode Fuzzy Hash: 6fd480559935362d1823f94fe9b25489d78a157019db081f9788a61443be73e7
                                                                                                            • Instruction Fuzzy Hash: 1751D1B1D103189FDB14CF99C984ADEFBB5FF48314F64812AE819AB250DB759885CF90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 02A25190, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02A252A2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.505152609.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: CreateWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 716092398-0
                                                                                                            • Opcode ID: dcca7090d105a1da1d6c295a7c47747d8c472aabc230f661eff9939d1db5f38d
                                                                                                            • Instruction ID: 53279a08421521f16636f247f45129e11ba765e26beadfd63f6abb06c002ac69
                                                                                                            • Opcode Fuzzy Hash: dcca7090d105a1da1d6c295a7c47747d8c472aabc230f661eff9939d1db5f38d
                                                                                                            • Instruction Fuzzy Hash: 7441D0B1D103189FDB14CF99C984ADEFBB5BF48314F64812AE819AB250DB71A845CF90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 02A26964, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 02A27CF9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.505152609.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: CallProcWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 2714655100-0
                                                                                                            • Opcode ID: bc154e9766cdecfb948ce393d78e36c54447881543b38a730e2079dd765e90e7
                                                                                                            • Instruction ID: 59ca1f7c0ae1a35a73cdd724472c5b5486a62b9f6fc3631ca08ab7f497fe1600
                                                                                                            • Opcode Fuzzy Hash: bc154e9766cdecfb948ce393d78e36c54447881543b38a730e2079dd765e90e7
                                                                                                            • Instruction Fuzzy Hash: B64138B5A003598FDB14CF99C888BAAFBF5FF88314F148459E419AB321C734A945CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 02A26D71, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02A26DFF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.505152609.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: DuplicateHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 3793708945-0
                                                                                                            • Opcode ID: 666d29447aa341c7408ad9dcc4daf34ca20e3a0dd93cc7a028166fe7c0ff0d80
                                                                                                            • Instruction ID: 2d6e2bf332f96fe8e60c172ad489d4fe96c5631940ad8cc558ae206333bbffc8
                                                                                                            • Opcode Fuzzy Hash: 666d29447aa341c7408ad9dcc4daf34ca20e3a0dd93cc7a028166fe7c0ff0d80
                                                                                                            • Instruction Fuzzy Hash: 0F21F5B59012189FDB10CFA9D484BDEFBF4FB48324F14841AE919A7310D778A955CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 02A26D78, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02A26DFF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.505152609.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: DuplicateHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 3793708945-0
                                                                                                            • Opcode ID: 04f3516c95ee4a27d59c631814c9e24459eae1deab91d75c21c1893ed19d034b
                                                                                                            • Instruction ID: 4cdda58d49190841fedb4e616d9030828eb5262ca0a2de11bbd884000a9dde53
                                                                                                            • Opcode Fuzzy Hash: 04f3516c95ee4a27d59c631814c9e24459eae1deab91d75c21c1893ed19d034b
                                                                                                            • Instruction Fuzzy Hash: 7F21F3B5900218AFDB10CFA9D884ADEFBF8FB48324F14841AE914A3310D778A954CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00DDB698, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,00DDCC4A), ref: 00DDCD37
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.504262733.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: GlobalMemoryStatus
                                                                                                            • String ID:
                                                                                                            • API String ID: 1890195054-0
                                                                                                            • Opcode ID: 0689dce9ec9fa3b3809abdf13c30bcd7231fc07db029cbedddd79d547e77c229
                                                                                                            • Instruction ID: 1542f0215ce544b385cbdf98449ed8534a6dff43ee0754245500e5f76d8963a5
                                                                                                            • Opcode Fuzzy Hash: 0689dce9ec9fa3b3809abdf13c30bcd7231fc07db029cbedddd79d547e77c229
                                                                                                            • Instruction Fuzzy Hash: 4C1142B1C1425A9BCB00CF9AD844BDEFBF4AB48324F05816AE918B7300D378A945CFE1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 02A2BDF8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RtlEncodePointer.NTDLL(00000000), ref: 02A2BE72
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.505152609.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: EncodePointer
                                                                                                            • String ID:
                                                                                                            • API String ID: 2118026453-0
                                                                                                            • Opcode ID: 557862675113ec08a67f8e3c392fcead9e01469e209bbf096b9c848c190b86e9
                                                                                                            • Instruction ID: 6e5aac7009c3097a1580051f267f2ca15e44a3db350371d1d4c764512f8a9b2f
                                                                                                            • Opcode Fuzzy Hash: 557862675113ec08a67f8e3c392fcead9e01469e209bbf096b9c848c190b86e9
                                                                                                            • Instruction Fuzzy Hash: C3116DB1901359CFDB20EF69D5487DEBBF4FB45318F14842AD549A7600CB396548CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00DDCCC9, Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,00DDCC4A), ref: 00DDCD37
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.504262733.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: GlobalMemoryStatus
                                                                                                            • String ID:
                                                                                                            • API String ID: 1890195054-0
                                                                                                            • Opcode ID: f5d881dc469a46c7323276133c841c4586d7a1be5ea0699b1a0f59219638a4a5
                                                                                                            • Instruction ID: 147062dc753179c26ce46bb7734d78b2e44ac5e96e17a94547f13c918b966dea
                                                                                                            • Opcode Fuzzy Hash: f5d881dc469a46c7323276133c841c4586d7a1be5ea0699b1a0f59219638a4a5
                                                                                                            • Instruction Fuzzy Hash: FD1123B2C0061A9BCB00CF9AD5447DEFBB4BF48324F05852AD818B7340D378A945CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 02A22F44, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 02A24216
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.505152609.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: HandleModule
                                                                                                            • String ID:
                                                                                                            • API String ID: 4139908857-0
                                                                                                            • Opcode ID: 3bc1af0913dc4fbc708528534251dfcdfbb7bc355d406fcd9664b00e41ef6026
                                                                                                            • Instruction ID: 8bcd8ac1114648627d09f599d7e2490b4a44b75d7ead8b6290c6dc121e563779
                                                                                                            • Opcode Fuzzy Hash: 3bc1af0913dc4fbc708528534251dfcdfbb7bc355d406fcd9664b00e41ef6026
                                                                                                            • Instruction Fuzzy Hash: 391102B1D002598FDB10DF9AD844BDEFBF4EB89224F15846AD829B7200C775A549CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 02A241AA, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 02A24216
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.505152609.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: HandleModule
                                                                                                            • String ID:
                                                                                                            • API String ID: 4139908857-0
                                                                                                            • Opcode ID: 137e5f884daf74a3a78916f9bb046a5b9c1f162e9786b2dbe43c9cd630011547
                                                                                                            • Instruction ID: ef5a595ec7a542f268815c6a7514b0dcef39783aa20056ea0163d6616739fcf8
                                                                                                            • Opcode Fuzzy Hash: 137e5f884daf74a3a78916f9bb046a5b9c1f162e9786b2dbe43c9cd630011547
                                                                                                            • Instruction Fuzzy Hash: 261113B6D006598FDB10CFAAD4847DEFBF5EB48324F15842AC429B7600C774A54ACFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00E6D53C, Relevance: .1, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.504507863.0000000000E6D000.00000040.00000001.sdmp, Offset: 00E6D000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 12d8c37915dba69f30a78687a765118897629eb14014432eaf9b11e191b8c5a9
                                                                                                            • Instruction ID: 16a5c79cac339a199a28e289b7da431df7f9f5665916b6037ba3c356137b9615
                                                                                                            • Opcode Fuzzy Hash: 12d8c37915dba69f30a78687a765118897629eb14014432eaf9b11e191b8c5a9
                                                                                                            • Instruction Fuzzy Hash: 3E216AB1A48240DFCB01DF04EDC0F26BF65FB94368F248569E8065B646C336D856CBA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0107D01C, Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.504801509.000000000107D000.00000040.00000001.sdmp, Offset: 0107D000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1363c2aa51e8c0e942afe441dda40fdd4a5fbb36e1ab548867b32ed4fdee53ad
                                                                                                            • Instruction ID: ceaf3fcb9c73bd5013f98c987685af1cc9778059f1832476ac010ce84134679d
                                                                                                            • Opcode Fuzzy Hash: 1363c2aa51e8c0e942afe441dda40fdd4a5fbb36e1ab548867b32ed4fdee53ad
                                                                                                            • Instruction Fuzzy Hash: 972137B1908240DFCB16CF54D9C4B26BBA1FF84354F24C9ADE9894B246C336D847CBA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0107D006, Relevance: .1, Instructions: 62COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.504801509.000000000107D000.00000040.00000001.sdmp, Offset: 0107D000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b2241b38b4b86ab114af5f9d10aae498158dbc659a8b038a3eeae1c22b9008a8
                                                                                                            • Instruction ID: eb25add6b64992fbcf19aabff3e4c1ed2c7c8dcebee69b179cfc4ba7408868ce
                                                                                                            • Opcode Fuzzy Hash: b2241b38b4b86ab114af5f9d10aae498158dbc659a8b038a3eeae1c22b9008a8
                                                                                                            • Instruction Fuzzy Hash: 192192755093808FCB13CF24D990715BFB1EF46214F28C6DAD8898B657C33A984ACBA2
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00E6D537, Relevance: .1, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.504507863.0000000000E6D000.00000040.00000001.sdmp, Offset: 00E6D000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7515d1e00a04a0e55848f7cd81b3790f4b61e24b1716d03f054666e0b267afed
                                                                                                            • Instruction ID: f9fbc6ff8eac2e5d9ed459d0a66eb5c39514181d1ddf7de75a7c3b63b1333466
                                                                                                            • Opcode Fuzzy Hash: 7515d1e00a04a0e55848f7cd81b3790f4b61e24b1716d03f054666e0b267afed
                                                                                                            • Instruction Fuzzy Hash: EC11E976944240CFCF11CF10D9C4B16BF71FB94324F28C6A9D8055B616C336D85ACB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Non-executed Functions

                                                                                                            Function 00DD73B0, Relevance: 1.8, Instructions: 1755COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.504262733.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 86a135325b357a759e003f05335f2d7fe6f84c06caa294b2c462876cf0b32e3d
                                                                                                            • Instruction ID: 15cd4bd3c6c9f7c7e6d24f4d1bea7aef0e338236ce475d0d87afc26f6ebed8f2
                                                                                                            • Opcode Fuzzy Hash: 86a135325b357a759e003f05335f2d7fe6f84c06caa294b2c462876cf0b32e3d
                                                                                                            • Instruction Fuzzy Hash: BE03FA70D10A198ECB14EF68C894AADF7B1FF99300F15D69AE449B7211EB30AAC5CF51
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00DD72B1, Relevance: 1.0, Instructions: 958COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.504262733.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 272f21c03c287d1545785a1ac1241f9fee299ead034110056b090b3c09df8fad
                                                                                                            • Instruction ID: c888b2aef895a117a083130a029499a5a9392e9b25dfbf643f0d53f181c86f79
                                                                                                            • Opcode Fuzzy Hash: 272f21c03c287d1545785a1ac1241f9fee299ead034110056b090b3c09df8fad
                                                                                                            • Instruction Fuzzy Hash: 01921B70E006598FCB54EF68C8906ADF7F1AF89304F15C6AAD449AB351EB30AE85CF51
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00DD9CA0, Relevance: .4, Instructions: 433COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.504262733.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 85bea11f629ff49e314d8de7dc864f087d700b258a935c109b841d04b5bff60a
                                                                                                            • Instruction ID: 82cac702dc0c44b8dc13b055972df7acdea9abf0bbc06fbc2257bf74815e99fe
                                                                                                            • Opcode Fuzzy Hash: 85bea11f629ff49e314d8de7dc864f087d700b258a935c109b841d04b5bff60a
                                                                                                            • Instruction Fuzzy Hash: 51024930A002188FDB24EBB9C858B9DBBF2BF88304F1184AAD509E7795DF359D45CB61
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00DDCFD8, Relevance: .3, Instructions: 341COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.504262733.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b158be5d6a80ebdb0eda1a89f67d2b1660777c01344cee50f24a2d177d2c78a2
                                                                                                            • Instruction ID: 76c21e7126e90c300abc47439d61f847de38766021d065f970bd072a20176dbe
                                                                                                            • Opcode Fuzzy Hash: b158be5d6a80ebdb0eda1a89f67d2b1660777c01344cee50f24a2d177d2c78a2
                                                                                                            • Instruction Fuzzy Hash: C8C19E70A08309CBCF285F6595152ADBBB7AF89710F19842ED882E6788CF35CC51DB72
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 02A2D661, Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.505152609.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ca80b063711e26aef2cb13520ebe6a6b262ab7e80ce6fd472e969289015be3ba
                                                                                                            • Instruction ID: 2cd1b0b712331780fd2d7c48fadf423ff626b394c00be92e5ee0a497c80d0b20
                                                                                                            • Opcode Fuzzy Hash: ca80b063711e26aef2cb13520ebe6a6b262ab7e80ce6fd472e969289015be3ba
                                                                                                            • Instruction Fuzzy Hash: 1291C534B042148BDB18AB79986867E77B7BFC9204F05882DF546E778DDF39C8068B91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Analysis Process: NXLun.exe PID: 5092 Parent PID: 3472 NXLun.exeCOMMON

                                                                                                            Executed Functions

                                                                                                            Function 02710F38, Relevance: .6, Instructions: 576COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.349094770.0000000002710000.00000040.00000001.sdmp, Offset: 02710000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 65e7cb416b1069da28042e7c8c3ca95c50964bb03e51c4c0b6c65fa57b148639
                                                                                                            • Instruction ID: 693a704039db43c4c0e7a71c7c31f0cae000a518b5e5b0cb47cfe195b48c6781
                                                                                                            • Opcode Fuzzy Hash: 65e7cb416b1069da28042e7c8c3ca95c50964bb03e51c4c0b6c65fa57b148639
                                                                                                            • Instruction Fuzzy Hash: F0328F34704601CFC728EF64E994B6A73A2EF84709B508938D54A9F798DB35EC86CB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 02710728, Relevance: .4, Instructions: 415COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.349094770.0000000002710000.00000040.00000001.sdmp, Offset: 02710000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3ad056861073d2a41d7993064d8b4e041fea67beb2f12f4c45f084cecc19e747
                                                                                                            • Instruction ID: 16a659b447b700ba84e5aa38dadc598251f9e389580467596c2439458f0a9bc0
                                                                                                            • Opcode Fuzzy Hash: 3ad056861073d2a41d7993064d8b4e041fea67beb2f12f4c45f084cecc19e747
                                                                                                            • Instruction Fuzzy Hash: 6681C535A047458FCB2A9B64D85879EBBF3EF88314F058929D8466B7A4DF34E8C5CB40
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 02710E31, Relevance: .1, Instructions: 87COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.349094770.0000000002710000.00000040.00000001.sdmp, Offset: 02710000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f05892b227594f765844cb6e64adf3c27c4229173a72c2e8f69fd36d259ec816
                                                                                                            • Instruction ID: ea29056197eec8614f103549b6db1bf3724d116a489e1022766c811765efbfe6
                                                                                                            • Opcode Fuzzy Hash: f05892b227594f765844cb6e64adf3c27c4229173a72c2e8f69fd36d259ec816
                                                                                                            • Instruction Fuzzy Hash: 32316B707042108FC769AB38D56896D37E2AF9A61931208BDE506CF771DF36EC86CB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 02710E40, Relevance: .1, Instructions: 81COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.349094770.0000000002710000.00000040.00000001.sdmp, Offset: 02710000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9476af208241d0d3d1a8612cc1fd366af62a0b63580aee2a05734f2b553a1c50
                                                                                                            • Instruction ID: e4c17af129b54288a42d0604141d047fe347475b2914de8f1449c38df8018f7e
                                                                                                            • Opcode Fuzzy Hash: 9476af208241d0d3d1a8612cc1fd366af62a0b63580aee2a05734f2b553a1c50
                                                                                                            • Instruction Fuzzy Hash: 602139747002208FC769AB38D15892D33E2AF9A61931208BCE506CF771DF32EC86CB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 027117F8, Relevance: .0, Instructions: 46COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.349094770.0000000002710000.00000040.00000001.sdmp, Offset: 02710000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3d0ebf05ccc23c1fd49182dd8c325fc3098a4ae0f542b99f44f4a13eb0ab531f
                                                                                                            • Instruction ID: 71b01493331b3a943835829d794032570704045c0c790ccb1dddbb41f80f8f22
                                                                                                            • Opcode Fuzzy Hash: 3d0ebf05ccc23c1fd49182dd8c325fc3098a4ae0f542b99f44f4a13eb0ab531f
                                                                                                            • Instruction Fuzzy Hash: 55110475E042058FCB51DFB8D848DEEFBB1FF88300B10866AD5189B720E7309905CB80
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 02711808, Relevance: .0, Instructions: 44COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.349094770.0000000002710000.00000040.00000001.sdmp, Offset: 02710000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 55783ade87fec5f7cfc4a95241cec8c7a0b4b8cfb1e5d21d32634449f771c83b
                                                                                                            • Instruction ID: 10e770baa30ff2512a724f480f9c15202b9801729dab0ebcc84a675444f9e858
                                                                                                            • Opcode Fuzzy Hash: 55783ade87fec5f7cfc4a95241cec8c7a0b4b8cfb1e5d21d32634449f771c83b
                                                                                                            • Instruction Fuzzy Hash: AB015275E002059FCB50EFB9D984CDEFBB5FF893107118666E5199B321EB31A915CB80
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 02710480, Relevance: .0, Instructions: 35COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.349094770.0000000002710000.00000040.00000001.sdmp, Offset: 02710000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9fa85c49d6781ce4a10530dad6893404f2b1739f4254eb063bdf57ab10deab2c
                                                                                                            • Instruction ID: a7e0a8f34145a50e2b894fbaab3cc7b785cbb1b59d6435cc90348e772684a872
                                                                                                            • Opcode Fuzzy Hash: 9fa85c49d6781ce4a10530dad6893404f2b1739f4254eb063bdf57ab10deab2c
                                                                                                            • Instruction Fuzzy Hash: 13F09061C0A3845FDB438BB828822EA7FB0AE0B61074558F3CC97D6113E3218A498796
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 02710B9C, Relevance: .0, Instructions: 23COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.349094770.0000000002710000.00000040.00000001.sdmp, Offset: 02710000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9e90dafdebb90a5f70fe483654af38db31ef193dcc3d9d1b08a8f6b746cf54ae
                                                                                                            • Instruction ID: a413d33201dfef9d0ed807e17cd26c02b0dfd2015379eb4ae23939e74e38a87c
                                                                                                            • Opcode Fuzzy Hash: 9e90dafdebb90a5f70fe483654af38db31ef193dcc3d9d1b08a8f6b746cf54ae
                                                                                                            • Instruction Fuzzy Hash: B3F01C70A00205CFDB25DB68C5597AD7BB0AF48218F150869D442A73A1CB75A984CB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 027116D8, Relevance: .0, Instructions: 18COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.349094770.0000000002710000.00000040.00000001.sdmp, Offset: 02710000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 71d8f01add7f2dd5014c348bb9eb580edbd9aa391da732cac8086cf53351bb2d
                                                                                                            • Instruction ID: c3d95e2f44b2b587a9a253485da24dd2d9206f10169e310d223ccb361d5f8bf0
                                                                                                            • Opcode Fuzzy Hash: 71d8f01add7f2dd5014c348bb9eb580edbd9aa391da732cac8086cf53351bb2d
                                                                                                            • Instruction Fuzzy Hash: 76D017357042149FC724EB68E949B8A7BA8AF09A11F5040A5EA0CCB2A4DB62E814CBD1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 027104A8, Relevance: .0, Instructions: 17COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.349094770.0000000002710000.00000040.00000001.sdmp, Offset: 02710000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: dd1079ef17d0efe8b30c0878bdbd8d04f1847c27fc022a4348a386ca7c587696
                                                                                                            • Instruction ID: 29af741acc39cc2fb2e4df2169fa30276cb644697556841f8a2e54959a295d6b
                                                                                                            • Opcode Fuzzy Hash: dd1079ef17d0efe8b30c0878bdbd8d04f1847c27fc022a4348a386ca7c587696
                                                                                                            • Instruction Fuzzy Hash: 93D067B1D00229AF8B80EFBD99052DEBBF8FE09251B1045A6DD19E3200E6709A10CBD1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Non-executed Functions

                                                                                                            Analysis Process: NXLun.exe PID: 988 Parent PID: 3472 NXLun.exeCOMMON

                                                                                                            Executed Functions

                                                                                                            Function 03000F38, Relevance: .5, Instructions: 510COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.366363368.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: aa7eaff878d020cd437aaa9a7f58e3821ac60c0261fb15f80d7116ccf69dab2c
                                                                                                            • Instruction ID: 9565cd40415aa5ce7668caef3a03091f8aca6bf2db3bb1463f2468f26ab9dcf5
                                                                                                            • Opcode Fuzzy Hash: aa7eaff878d020cd437aaa9a7f58e3821ac60c0261fb15f80d7116ccf69dab2c
                                                                                                            • Instruction Fuzzy Hash: E0226E34702601CFD728DF25E99466A73B2FB88309F14897CC8568B795DB39EC86CB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03000728, Relevance: .4, Instructions: 417COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.366363368.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ca95079d12651922f7fdf63afb86ab1de1994976503976db48f9eea73dc78bce
                                                                                                            • Instruction ID: 2a55c8ecc702c71b8085cfcbe93161070bb38c1a4a7f9bf69de1f3ecf835d953
                                                                                                            • Opcode Fuzzy Hash: ca95079d12651922f7fdf63afb86ab1de1994976503976db48f9eea73dc78bce
                                                                                                            • Instruction Fuzzy Hash: 9281DD31A016448FDB25DF60D8587AABBF2EF88314F098969C442AB7A4DF74AC95CB50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03000E31, Relevance: .1, Instructions: 88COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.366363368.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: fced00e92e372fa16b9c2d6c3064a4123c48a4ead4578558bfc352f41facdc1e
                                                                                                            • Instruction ID: f7c446ec0a0a02da738b3bc2a26da403ab1c9582ac3e8c816fc94f4513d17742
                                                                                                            • Opcode Fuzzy Hash: fced00e92e372fa16b9c2d6c3064a4123c48a4ead4578558bfc352f41facdc1e
                                                                                                            • Instruction Fuzzy Hash: C43104717042108FC769AB78D55892D33E1AF9A61931608BDE106CF7B1DB36EC46CB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03000E40, Relevance: .1, Instructions: 81COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.366363368.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c0d51c2daaa4394bf09325b3ebcb7c1e94d6dca7c72acac328c3dbd7c0646471
                                                                                                            • Instruction ID: 94b26acb20aaf3de0121cc5c7cabf864d341519595ed691c42df816343cf6792
                                                                                                            • Opcode Fuzzy Hash: c0d51c2daaa4394bf09325b3ebcb7c1e94d6dca7c72acac328c3dbd7c0646471
                                                                                                            • Instruction Fuzzy Hash: BA2119747002108FC769AB38D55892D33E2AF9961931208BCE106CF7B1DF36EC86CB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 030016D8, Relevance: .1, Instructions: 68COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.366363368.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0337c5538c81291b16aeabf971282aae26298cc0e7fee625fbb722a542de397a
                                                                                                            • Instruction ID: 94aab8324847d21f3c9355ad3388b3a608263353e3729182c5db765a03485eb6
                                                                                                            • Opcode Fuzzy Hash: 0337c5538c81291b16aeabf971282aae26298cc0e7fee625fbb722a542de397a
                                                                                                            • Instruction Fuzzy Hash: A5110630B042189FC714EF74D85465E77FAEF85618F1040A8C609DB385DF34AC56CBA2
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 030017F8, Relevance: .0, Instructions: 47COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.366363368.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2ee501ed3b49f981be9dbf6ca9234bca0c6983dc06558d02a17bcdfb4170577d
                                                                                                            • Instruction ID: bb5502bfaa30ab423369ffddcb233e7f6eeab1064de3b198fc6ab9fc992a5e9a
                                                                                                            • Opcode Fuzzy Hash: 2ee501ed3b49f981be9dbf6ca9234bca0c6983dc06558d02a17bcdfb4170577d
                                                                                                            • Instruction Fuzzy Hash: 5411E536E002098FCB00DFB9D9849DEBBF5FF8D310B10866AD5149B221D734A945CB80
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03001808, Relevance: .0, Instructions: 44COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.366363368.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e613d502ff1e0c2b7e208c58b03a8c606365b7192299992f2b675876b97aa106
                                                                                                            • Instruction ID: b4f3e42100fc550c99dd293f60c35aa7bdd01ddee45e9e86b8825805121b4dcf
                                                                                                            • Opcode Fuzzy Hash: e613d502ff1e0c2b7e208c58b03a8c606365b7192299992f2b675876b97aa106
                                                                                                            • Instruction Fuzzy Hash: 15019235E002059FCB00DFB9D9848DEFBF5FF8D2107108266E5159B320E734A945CB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03000498, Relevance: .0, Instructions: 24COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.366363368.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b0609795508393e22cb85a095238629bb9011963106d1cacf124d7f3becab6ed
                                                                                                            • Instruction ID: 8f3f7ac3d09e03157d5c951b6799b05b9d99056ce2a5f95aa77aadb620dbea8d
                                                                                                            • Opcode Fuzzy Hash: b0609795508393e22cb85a095238629bb9011963106d1cacf124d7f3becab6ed
                                                                                                            • Instruction Fuzzy Hash: 24E06D71C052289F8B40DFB8D98129DBBF4EE05200B0402B6C959E7205EB309A04CBD1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03000B9C, Relevance: .0, Instructions: 23COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.366363368.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 605fbec349e03ba7ead449461bdd481e7d808dcb8fa0cc253de28ddccb0a7c83
                                                                                                            • Instruction ID: 6fa515cb38a910311b20642aa43b270356b3a2668053687fde1ebc5a14e1a9f6
                                                                                                            • Opcode Fuzzy Hash: 605fbec349e03ba7ead449461bdd481e7d808dcb8fa0cc253de28ddccb0a7c83
                                                                                                            • Instruction Fuzzy Hash: 21F03070A05305CFEB24DF64C9597AD7BF0AF48318F15086AD052A7791CF74AD84CBA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 030004A8, Relevance: .0, Instructions: 17COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.366363368.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c14ba3bc44b0cda4aedf2cf73c7fac8f5177f1a8d8bff39d68f67edd36195845
                                                                                                            • Instruction ID: 3f75d742b37fb13f87c83e4691548a50cd128d8d340f752fcb5d207ec3b7a26d
                                                                                                            • Opcode Fuzzy Hash: c14ba3bc44b0cda4aedf2cf73c7fac8f5177f1a8d8bff39d68f67edd36195845
                                                                                                            • Instruction Fuzzy Hash: 0DD067B1D05229AF8B50EFB999051DEBBF8EE08250F1045A6D959E3204E6705A108BD1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Non-executed Functions