Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report SOA.exe

Overview

General Information

Sample Name:SOA.exe
Analysis ID:458920
MD5:170f199a743cc527f5f222594ae66559
SHA1:5de323016e6f72653d7350ba45dfc73a208a580a
SHA256:2b4fef6d86dbcf4905dc110ed199516a9162266d69486d0aa14c26b71c8072db
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
.NET source code contains very large array initializations
.NET source code contains very large strings
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Process Start Without DLL
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • SOA.exe (PID: 6128 cmdline: 'C:\Users\user\Desktop\SOA.exe' MD5: 170F199A743CC527F5F222594AE66559)
    • RegSvcs.exe (PID: 6060 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
    • RegSvcs.exe (PID: 5076 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • NXLun.exe (PID: 6088 cmdline: 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • NXLun.exe (PID: 3924 cmdline: 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 5236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "paola.micheli@copangroup.xyz", "Password": "gibson.1990", "Host": "us2.smtp.mailhostbox.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.474638569.0000000002DE1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000006.00000002.470502607.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000006.00000002.470502607.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        Process Memory Space: RegSvcs.exe PID: 5076JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RegSvcs.exe PID: 5076JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              6.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Suspicious Process Start Without DLLShow sources
                Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\SOA.exe' , ParentImage: C:\Users\user\Desktop\SOA.exe, ParentProcessId: 6128, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6060
                Sigma detected: Possible Applocker BypassShow sources
                Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\SOA.exe' , ParentImage: C:\Users\user\Desktop\SOA.exe, ParentProcessId: 6128, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6060

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 6.2.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "paola.micheli@copangroup.xyz", "Password": "gibson.1990", "Host": "us2.smtp.mailhostbox.com"}
                Multi AV Scanner detection for submitted fileShow sources
                Source: SOA.exeVirustotal: Detection: 57%Perma Link
                Source: SOA.exeMetadefender: Detection: 37%Perma Link
                Source: SOA.exeReversingLabs: Detection: 78%
                Machine Learning detection for sampleShow sources
                Source: SOA.exeJoe Sandbox ML: detected
                Source: 6.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: SOA.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: SOA.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: RegSvcs.pdb, source: NXLun.exe, 00000012.00000000.316246964.0000000000412000.00000002.00020000.sdmp, NXLun.exe, 00000015.00000000.333718102.0000000000A82000.00000002.00020000.sdmp, NXLun.exe.6.dr
                Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: NXLun.exe, 00000012.00000002.319500233.0000000004C00000.00000002.00000001.sdmp
                Source: Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe.6.dr
                Source: global trafficTCP traffic: 192.168.2.3:49737 -> 208.91.199.225:587
                Source: Joe Sandbox ViewIP Address: 208.91.199.225 208.91.199.225
                Source: global trafficTCP traffic: 192.168.2.3:49737 -> 208.91.199.225:587
                Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com
                Source: RegSvcs.exe, 00000006.00000002.474638569.0000000002DE1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: RegSvcs.exe, 00000006.00000002.474638569.0000000002DE1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: RegSvcs.exe, 00000006.00000002.477357343.000000000313B000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.474638569.0000000002DE1000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.477557900.0000000003170000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.477019431.0000000003104000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.477528047.0000000003168000.00000004.00000001.sdmpString found in binary or memory: http://UYWn7rRVbuma0uFbuM.com
                Source: RegSvcs.exe, 00000006.00000002.481185884.0000000005FF0000.00000004.00000001.sdmpString found in binary or memory: http://crl.usertrust.co:d
                Source: RegSvcs.exe, 00000006.00000002.477411883.0000000003145000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                Source: RegSvcs.exe, 00000006.00000002.474638569.0000000002DE1000.00000004.00000001.sdmpString found in binary or memory: http://hFHvHh.com
                Source: SOA.exeString found in binary or memory: http://i.imgur.com/blkrqBo.gifiThis
                Source: RegSvcs.exe, 00000006.00000002.477411883.0000000003145000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0A
                Source: RegSvcs.exe, 00000006.00000002.477411883.0000000003145000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                Source: SOA.exe, 00000000.00000003.208185188.0000000005CC5000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlX
                Source: SOA.exe, 00000000.00000003.208146385.0000000005C85000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmls
                Source: SOA.exe, 00000000.00000003.209903673.0000000005C85000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: SOA.exe, 00000000.00000003.208816372.0000000005CBE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/2
                Source: SOA.exe, 00000000.00000003.209222976.0000000005C99000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlT
                Source: SOA.exe, 00000000.00000003.210227911.0000000005C87000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                Source: SOA.exe, 00000000.00000003.209903673.0000000005C85000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
                Source: SOA.exe, 00000000.00000003.210227911.0000000005C87000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsd
                Source: SOA.exe, 00000000.00000003.209903673.0000000005C85000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomF
                Source: SOA.exe, 00000000.00000003.210227911.0000000005C87000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtoTF?
                Source: SOA.exe, 00000000.00000003.203772301.0000000005C9B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: SOA.exe, 00000000.00000003.206465425.0000000005C88000.00000004.00000001.sdmp, SOA.exe, 00000000.00000003.205971735.0000000005C87000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: SOA.exe, 00000000.00000003.205971735.0000000005C87000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn-
                Source: SOA.exe, 00000000.00000003.205971735.0000000005C87000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnQ
                Source: SOA.exe, 00000000.00000003.206465425.0000000005C88000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna
                Source: SOA.exe, 00000000.00000003.205513278.0000000005C8E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
                Source: SOA.exe, 00000000.00000003.210853280.0000000005C93000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                Source: SOA.exe, 00000000.00000003.210853280.0000000005C93000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmo&
                Source: SOA.exe, 00000000.00000003.208235675.0000000005C85000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: SOA.exe, 00000000.00000003.208235675.0000000005C85000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/)
                Source: SOA.exe, 00000000.00000003.207983894.0000000005C85000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-
                Source: SOA.exe, 00000000.00000003.207983894.0000000005C85000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/6
                Source: SOA.exe, 00000000.00000003.207983894.0000000005C85000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/96
                Source: SOA.exe, 00000000.00000003.207983894.0000000005C85000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/?
                Source: SOA.exe, 00000000.00000003.207983894.0000000005C85000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/J
                Source: SOA.exe, 00000000.00000003.207983894.0000000005C85000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/S
                Source: SOA.exe, 00000000.00000003.208235675.0000000005C85000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                Source: SOA.exe, 00000000.00000003.207813723.0000000005C85000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0fo?
                Source: SOA.exe, 00000000.00000003.207813723.0000000005C85000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/het
                Source: SOA.exe, 00000000.00000003.207983894.0000000005C85000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: SOA.exe, 00000000.00000003.207813723.0000000005C85000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/)
                Source: SOA.exe, 00000000.00000003.208235675.0000000005C85000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/lt
                Source: SOA.exe, 00000000.00000003.207983894.0000000005C85000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n
                Source: SOA.exe, 00000000.00000003.207983894.0000000005C85000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s
                Source: SOA.exe, 00000000.00000003.207983894.0000000005C85000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/w
                Source: SOA.exe, 00000000.00000003.206465425.0000000005C88000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.
                Source: SOA.exe, 00000000.00000003.203304770.0000000005C83000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: SOA.exe, 00000000.00000003.203304770.0000000005C83000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com2
                Source: SOA.exe, 00000000.00000003.203304770.0000000005C83000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma
                Source: SOA.exe, 00000000.00000003.208235675.0000000005C85000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comh)
                Source: SOA.exe, 00000000.00000003.209903673.0000000005C85000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                Source: RegSvcs.exe, 00000006.00000002.474638569.0000000002DE1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                Source: RegSvcs.exe, 00000006.00000002.474638569.0000000002DE1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                Source: RegSvcs.exe, 00000006.00000002.477411883.0000000003145000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                Source: SOA.exeString found in binary or memory: https://static.hummingbird.me/anime/poster_images/000/010/716/large/0fd8df1b586e60a0b1591cd8555c072f
                Source: RegSvcs.exe, 00000006.00000002.470502607.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: RegSvcs.exe, 00000006.00000002.474638569.0000000002DE1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                Spam, unwanted Advertisements and Ransom Demands:

                barindex
                Modifies the hosts fileShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                System Summary:

                barindex
                .NET source code contains very large array initializationsShow sources
                Source: 6.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b96D7ABB9u002d40EDu002d48D0u002dBF36u002dDF423462F388u007d/u0032241B3BCu002dF0A1u002d4679u002d849Bu002d1DE40CAF4318.csLarge array initialization: .cctor: array initializer size 11962
                .NET source code contains very large stringsShow sources
                Source: SOA.exe, eZvIx3u5LRtZulypN4/lnEtyefF5hhNddy5oW.csLong String: Length: 10292
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_012030236_2_01203023
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_012007D06_2_012007D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01206B686_2_01206B68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01201F886_2_01201F88
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_012072C06_2_012072C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01209C506_2_01209C50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_012F47A06_2_012F47A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_012F47736_2_012F4773
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_012FD6616_2_012FD661
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_062665086_2_06266508
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_062690D86_2_062690D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_062671206_2_06267120
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_062668506_2_06266850
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0626BEB8 appears 48 times
                Source: SOA.exe, 00000000.00000000.200865178.0000000000872000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameValueTup.exe2 vs SOA.exe
                Source: SOA.exeBinary or memory string: OriginalFilenameValueTup.exe2 vs SOA.exe
                Source: SOA.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: 6.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 6.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: SOA.exe, gMayvqL0oDpo5eiCwm/bspmWYGsTV3cq5TYkn.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAACgAAAAoCAYAAACM/rhtAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAKRJREFUeNpi/P//P8NgBkwMgxyMOnDUgaMOHHXgqANHHTjqwAEGoNYMMgYCeyA+CZIiAm8HYhWaugeLA58T6TgY3ohk/l4S9aLjvejuwRbFEiR6WhGJ/YvCAMTQz0LlFOM5mospBBSnQVo7cDQNjqZBaqTBpyQ66hEt0yC2msSDhNrkEhBr0bKqYxwdWRh14KgDRx046sBRB446cNSBQ9qBAAEGAPhFqjdpHPl0AAAAAElFTkSuQmCC'
                Source: SOA.exe, eZvIx3u5LRtZulypN4/lnEtyefF5hhNddy5oW.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAAN8AAADHCAYAAACZfIbaAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAB27SURBVHhe7ZyHW5TXtofvP3Gfe+95To4tsQIWVER6b0rv0qUjiF3sBWwgauw5KYoxURMr9koQ0VhQI2rsCIiKgA1bUH937T0zgIbkOPrpR1nz5H0Y1Azz7b3evdba+2P+q4/dEDAM8+lh+RhGJVg+hlEJlo9hVILlYxiVYPkYRiVYPoZRCZaPYVSC5WMYlWD5GEYlWD6GUQmWj2FUguVjGJVg+RhGJVg+hlEJlo9hVILlYxiVYPkYRiVYPoZRCZaPYVSC5WMYlWD5GEYlWD6GUQmWj2FUguVjGJVg+RhGJVg+hlEJlo9hVILlYxiVYPkYRiVYPoZRCZaPYVSC5WMYlWD5GEYlWD6GUYlmIl8wejdB0/+WYRoj4kRDQ9y0jNhpBvJpB8026E10f84w70Tj2GmIn6ZjrnmgunxykGjAetkGvgULyLwLGtk0MRPwp9hpKuaaCyrKpxkcY7sQ9LUPR3+HKAx0SoKVyyjYuU2E4+BpcHbPgKvHnEbMZRgtFA/us+HiPgtOg2fA3m0SrF3GwNwpBSYOsTC2D2si5poXKsmnXbFolepLgzTAMQZmzsPgMGgKPLwWItBvFUIC1iMyaBuih+widiNGsodhtOzG0OCdiArejvDAjQjwXQVPzyVwHpQBK+dR6G8fJRd2EW/NNQuqJ5+szwNlxrNwTqFsNwFe3otpIH9GUthhjIg8jfHRlzEptpQow+TYcoZpRBkmxpQgLfoaRkeeR2LIYUQEbIOv1zdwcpuJgY6J6GcfQQKGkngaAZuORfVQQT4xCCGyLBCDY+06BoM9sxDkn0MZbgeGRxxDWswlTI4rwfT4O0hPrNZSwzBvMDOxCjMSKjE1rhzjh17CiIgixA3ZjyDfNXAbPA+2LmkkYZKMt962zS/7fWL5RMYTfV6ozHimjvGybg+lEnN4xAmMi76IqfHlmJV0H3OGPcK85CfITHkmyUp5zjD1ZEpEbDzF3ORaGTMzScS06CtIoiwY4rcB7h6LYOMynuItTCMf0XRcqsMnlE9z8aLc7EsZb6BTgtxc8fVZSWVmPmW5SmQkPiThniE75SXmp7xAVvJTZA6rxbxhjxnmT4jYyKQYyUp+TvFSR3HzCrOTHiNt6DUMCzmKYN91VIJmoK9dJMUdlZ6EpvJ6OzbV4ZPJJ5teeaQQABOHaCo3x8odq7DADRgVdZoG7RFmJz6WzIp/iKlDyzA+7DxGBh/HyKBjGBFYiNTAI4T4yrRdRAwcwYigQowecgrjQs9hYsRVzIitxNykZ5iT9BRTY+9gbNQVxATtg4f7lzC1T0Rf2wj0sRXlZ6CMw+Yg4SeVT5zB9LTxl+Wm2B728/0a8aH7MTH2KpUSf2BO4hOkx93HlKgKku0Uot1zEey0GkGO3yDQYSUC7FdoEc+Ztog/zb+//XIEUDyEuqxF1OAtSPTJo4X6EjJo0Z6b9AIZCbWYFleD4WFF8PdaBUuHUTCxjYGxbRh6UfyJONQI2HSsfio+oXyarGdk4wszp2EY5JlFWe9nucEyjfq8hakg+R5TxruDMSG/k3g74WOzFE4DJsPBZALs+4+FXb/RxBhCPGfaJmL+R8t4cDWbCU+rhbRAr0Wy/1FMi75Lme8FQQs5MTbqMkJ818PGMQ2mtvEwtgmDkbWvTAAiAzYVp58SVeQzd06Bh9cieUYzMqoIMxJvY9GI17RyVSEt7DKSfAsQ6PidlM7UMBIDDCOIcImJAdM2ETEQARMRA4Zh8rl5rwRY9x2JQeZzMJSqpIkRNzAr4QmJ95x6wjrq/a4izO9n2DtNIvkSYGwdCgNLTxhZ+VAGDCABRempXvmpinwWzqnw9l6GuJD9GDu0GBlJlfiS5JsRc4t6vJOIpFJisMUcOcDdOzqiRycnGHRygcHnBH3twbQ5NPPvqokBLT07e6B3V19Y9k5CkNN3VDFRLMU/oNLzKeanvMSkmOuI9N8MR6epGGibiD5WIehuNhgGFl7oae0nS081d0A/sXz+Uj5LlxHw8VmBhNA8jIu+gFlJ9/DlyNeYHl2K4QFHEOr6I5xNp8C4qx+++JcZOrezQJf21ujawbaeboKOdkybQTPnXTvY1NO9oz2J6SSzoZ/dcowKPo106vXmJj1B9vBXmBJ7A1EBW+DkPB1mtknoYzkE3Qa6oYe5B4wsddlPPQGbmXw3G8k3Fcbd/NH5X0I8Kylc944O6PG5Iwy/cIZhZxcYET27MK0do87OMPjCSc59j04OUjohZI9OjpQRnWU7opNvZlz1G/INbSyfRTC6DXBB94Ga7Gdk5Yte1iSgjToCNiv5pkn5ChDi8oNWvkDKepb14hl87kwT4Yre3QajT3cPGPfwQF8DT6aV06e7O3p1HSTnXiy8BlJCIR61I1R+6uQbKeSLJfkSdfKVSPmcXXTyBaGriTO6m1L2M3OHoU5AG7H7+ekP4Zu1fH27C/ko67UXJYc9TcBgWPYfgkH2ifAdNBKBnmMR6jsBoX5a6HkI0yoQ8xnmPwHhhO+gVDhbx8CiXzD6G3lTr+dK8UBVUEfNXsAAA618QY3le/ln+cw18nUb4IoeIvuZeZKAPuhp5U8ZkAT8xBmwRcjXpR3V+O3taOB94OM2AqnxCzBt/CrMm74Oi+dtxZKsXCzOzMWX85jWgpjPpfNzsXxBLqaP/wbxERnwchkO24HhMhN2aScWZKqGRNmpt3xUepoOIgHdYWDuJQU0svT75CVoC5DPkrCm3s8G5n2DEBc+i2TbgU1rT2N/7lUc/+UuTh6uwvH8KhzLY1oLJ2g+i45U4cyxKprr45g7/UfEhM7EYIck9DP0xuf/tEbXdvaU/d5TvgFUeppS9hvoocmA5t4aAetL0KbjWElalHyi7BgWnYmvlxzArs2XUHiwAudP1uJ
                Source: SOA.exe, hFiJ6axJ61DwUJ0n5h/Qc3afSe8I4js0voE2U.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAACwAAAAsCAYAAAAehFoBAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAH/SURBVFhH7ZjPKwVRFMf9NTaUtbIhLC2IDXtra2t7ayUsJA8JsbCxsLGgR7yX915Kkli8nWyvPi+3NH3nx713Jk1m6lOvmTvnfJrunHPm9fWv102ZqISLphIumv8jPLh5a4a3783EXtNMHT6auZO2mT/t9OA357jGGtaqGD44Cw9t3ZnR3YaZOWqZhbNOJljLPdyrYrrgJDyy82CmHUSjcC8xVOysZBIe2Lg147WmlPCBWMRUudJIFSbw5H5+shZi+kinCuf5ZKMQW+VMIlGY/aYS5Ynrno4V5o12qQRLF8/moN3tsXL1KtcoyOFSPWKFKUMqQRxI2gNptSaOsVpDOiikMIXe5elCiPDscStzc5HCdCcVOIkQYSCncokihWmpKmgSocLkVC5RpDBzgAqaxOL504+uMas3b3JNEuRULlGkMMOLCpqGPVyqhIWcyiWKFGbiUkHTsIePMDmVS5RchZvdr56wupZGkLDvlggRDtoSPi8dXL9/egsHvXQ+ZQ1oz8uXL/JaGkFlzadxIMqWgLW7D7kmiaDGUbrWDKUafsB1vPQlt/ESSjXAW0r1iQSl+wgFAuf5pInlIwuZhC3st1L8kfIb3mjKELVTSSlYyz0u1SAOZ2ELhZ7uREtlDmB4YeICfnOOa6zJ2hSy4C38V1TCRVMJF00lXDQlE66bb+YGhyafMUw8AAAAAElFTkSuQmCC', 'iVBORw0KGgoAAAANSUhEUgAAACwAAAAsCAYAAAAehFoBAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAIJSURBVFhH7Zg9S8RAEED9KddoYWthoxxaKAqKCoocaiFYiApaCZbaXit2thb+Af+DpVhZeNzpiaIoWIjVei8YCMfsZj8SZDGBB0eymXmEzczkBu4nayomKuGyqYTLphIum/8l3JoeUu2lEfWwXlePWzOqu7uonvZXEvjNOa6xhrVSDFe8hFuzw6rTGFPd7Xn1dLBqBWu5h3ulmLY4C7eXR3vJ50QpG7iXGFJsG6yFW1ODqrNWFyV8IBYxpVwmrIQJ/LAxISYOgZiu0lbCRT7Zfogt5dSRK8x+kxIVicueNgrzRrtUgpeTPfV5dZnwdnosrpEgh231MApThqQEOpBMD6SlNTo6jXHRoR+tMIXe5elCiHB3Z8GquWiF6U5SYBMhwkBOySWLVpiWKgU1ESpMTskli1aYOUAKauL5aPNXV6n386a4xgQ5JZcsWuFkkBGC5pEeLlUihZySSxatcDJ1CUHzSA8fYXJKLlkKF/6+u02EpWu5hAj7bokQ4aAt4fPSwdfNtbdw0EvnU9aA9vzaPBSv5RFU1nwaB6JsCfi4OBPXmAhqHNG1Zohq+AHX8dKXwsZLiGqAT4nqEwmi+wgFAhf5pInlKgvWwinstyj+SMnCG00ZonZKUhKs5R7baqDDSziFQk93oqUyByQDE1NeD35zjmussWkKNgQJ/wWVcNlUwmUTmXBN/QCoe2Fr5J6flQAAAABJRU5ErkJggg=='
                Source: SOA.exe, sswPafmLDHl8YsTqQ9O/cYKoC2mG5mMsdLPJyN4.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAAAwAAAAMCAYAAABWdVznAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO
                Source: SOA.exe, R7sYdEmTTxROR35UAKW/wsC1OOmXailXP5X43G8.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAAAwAAAAMCAYAAABWdVznAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO
                Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@9/6@1/1
                Source: C:\Users\user\Desktop\SOA.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SOA.exe.logJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:412:120:WilError_01
                Source: C:\Users\user\Desktop\SOA.exeMutant created: \Sessions\1\BaseNamedObjects\agGydITm
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5236:120:WilError_01
                Source: SOA.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\SOA.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\SOA.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: SOA.exeVirustotal: Detection: 57%
                Source: SOA.exeMetadefender: Detection: 37%
                Source: SOA.exeReversingLabs: Detection: 78%
                Source: unknownProcess created: C:\Users\user\Desktop\SOA.exe 'C:\Users\user\Desktop\SOA.exe'
                Source: C:\Users\user\Desktop\SOA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                Source: C:\Users\user\Desktop\SOA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\SOA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\SOA.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: SOA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: SOA.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: SOA.exeStatic file information: File size 1148416 > 1048576
                Source: SOA.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x117c00
                Source: SOA.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: RegSvcs.pdb, source: NXLun.exe, 00000012.00000000.316246964.0000000000412000.00000002.00020000.sdmp, NXLun.exe, 00000015.00000000.333718102.0000000000A82000.00000002.00020000.sdmp, NXLun.exe.6.dr
                Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: NXLun.exe, 00000012.00000002.319500233.0000000004C00000.00000002.00000001.sdmp
                Source: Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe.6.dr
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_012F3A51 push cs; retf 0002h6_2_012F3A52
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0626AF28 push esi; retf 5502h6_2_0626AFFE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0626EC80 push eax; ret 6_2_0626ED51
                Source: initial sampleStatic PE information: section name: .text entropy: 6.92815557237
                Source: SOA.exe, gMayvqL0oDpo5eiCwm/bspmWYGsTV3cq5TYkn.csHigh entropy of concatenated method names: 'CS182CeR7Q', 'T4R8oGr4SB', 'WKp8y7xKBi', 'A4t86sEXn0', 'LvZ8BnAfBe', 'yD683UCA15', 'kjg877LnXj', 'P5C8DJrifB', 'm4h8d7LnMP', 'hiN80v8dge'
                Source: SOA.exe, acj4GXbw2hNn30YAfE/uLTwAGILSUrJwKSGiF.csHigh entropy of concatenated method names: 'Alhd60RcN', 'uOM0hH8uN', 'xeACgUv3c', 'Aclthy2xk', 'jW9Tr5Nc2', 'dkkxXfgQY', 'a0pQWCnu4', 'Rf5qy62UL', '.ctor', 'DkV3lNC7p'
                Source: SOA.exe, eZvIx3u5LRtZulypN4/lnEtyefF5hhNddy5oW.csHigh entropy of concatenated method names: 'vSH1Y1hpM4', 'PGk1EZGQrF', 'LqK1I9NDIj', 'lXf1ftK4SL', 'HZV1GaYnR1', 'Ouc1nQg0Io', 'SbU12oyibw', 'Px71oaVF8N', 'Ghf1jVoDce', 'SLP19wS2Rt'
                Source: SOA.exe, XXlyYKmdRfNfcyXVbLe/ePKtikmhrrOic0GNxe2.csHigh entropy of concatenated method names: '.ctor', 'YIflxrXgRl', 'ADAlZTh8GA', 'cLflqC3g3u', 'PS4lP5eTtJ', 'xiIl9fQWPG', 'SMglpj5kEA', 'wRNlMUercI', 'HJXlhmOn3G', 'plLlKWGPoD'
                Source: SOA.exe, RDOd8m5oelKoQX6eWW/CT0YZajLMmK1Re7S2W.csHigh entropy of concatenated method names: '.ctor', 'KCmR255yNP', 'DUIRoeL1XW', 'Lt7Ryi5ZUW', 'hT7R6xT4ES', 'nMiRB2tMOf', 'rQmR3boYkr', 'lWmR7jgkQ5', 'ao4RD9erIq', 'PdpRduUSNk'
                Source: SOA.exe, h181Mwq43bUgPWNMoE/AUpXk43f7yQeg3VIde.csHigh entropy of concatenated method names: '.ctor', 'eKPRr43La5', 'mgIR89TgZ4', 'OnPaint', 'OnMouseDown', 'OnMouseUp', 'OnMouseMove', 'vLuR14qlVQ', 'obo5tjEdpCsuUD2BgCu', 'EwSfQNEYrKmqSHlyqnL'
                Source: SOA.exe, AxfTdyaobDg9KW57lEA/H0Oyp4mzR6x2wuA5Fm2.csHigh entropy of concatenated method names: 'e85HOewnQc', 'Q4hHzxkaW5', 'pOhTvdXuuI', 'AboTbCQxk8', 'gH9Twgohxv', 'R88TRylbkt', 'l0KTrDlnGF', 'oM9T87nigh', 'e2FTYXjc38', 'xXpTEbl40K'
                Source: SOA.exe, gNG2y5mxDYeYBBxFMiV/x2HIRBmeY3vDyD5x6Kn.csHigh entropy of concatenated method names: '.ctor', 'ab8t3TcgYD', 'KcotlpkHxW', 'QxAtDchxBy', 'pWAtens17A', 'CWqt0VNna7', 'k5ntgosjIs', 'wsDttKvGqY', 'hsvtHqKODH', 'ECDtxAnRYx'
                Source: SOA.exe, zQ9lCPmHXrtw8XBbwgt/dWGeolm9ZxyZqxTGRbY.csHigh entropy of concatenated method names: '.ctor', 'pwHgzk6hOi', 'vuICukQASH', 'WqLCbo04nj', 'qTSCJvAqfI', 'G02CRDYru2', 'eVeC1ofTPM', 'LmrC8Y36oC', 'YNJCSJW8Vf', 'rU0CEqV9g5'
                Source: SOA.exe, XFcl0WvjM0rtNh0yBp/A8kAsV1kiH1vnLMrA2.csHigh entropy of concatenated method names: '.ctor', 'OnHandleCreated', 'OnPaint', 'OnMouseDown', 'OnMouseUp', 'OnMouseMove', 'zL6YEgRN8G', 'pABpNydWwhbFcfZLA4a', 'P7sQ6Hdjg282Qe6q1wj', 'JqrWLRdexsWFgUQ5wWr'
                Source: SOA.exe, rT5hH3RuB6fRHPycNw/wMqsgkgAmuKNbfEYNC.csHigh entropy of concatenated method names: 'iiEwCWdUvP', 'bvrwTpdS4X', 'w3hwxIbmNY', 'pwfwQ2P7Gb', 'CyKwq4iJlC', 'j6vwji2MTR', 'mekw98kNP2', 'ljIwcwt6Fa', 'qf2wM2TeQr', 'GwlwAxw04d'
                Source: SOA.exe, ATkPhhHeeqp25iP0WW/cAHcvf9UYEhROcK3dO.csHigh entropy of concatenated method names: '.ctor', 'OnHandleCreated', 'NyxEKeFm9h', 'dyDEacmlHN', 'OAaEUBxxP8', 'rTREsJROjf', 'fgxE5AyY8q', 'RS2E4MjLRO', 'DpxEN8H2GW', 'qdoEOGxcwG'
                Source: SOA.exe, Ep9TQk4QNrLcJ0EZse/tLx4t7sYLSsm0JAykW.csHigh entropy of concatenated method names: '.ctor', 'wEOYeOLJN9', 'FEJYd1DB7W', 'zTLY0whnRS', 'qGmYgh2Gwa', 'b0MYTSbt6w', 'qL1Yxh3wXI', 'EYUYQ6NPn0', 'RbuYqMFmmK', 'FpaYjfCi9h'
                Source: SOA.exe, dAKcQd8wCbYQVAqiPl/EuSw0oMtlfsQeRbPTe.csHigh entropy of concatenated method names: '.ctor', 'W8DYofg8YR', 'sxpYiGTSEQ', 'OnPaint', 'OnMouseDown', 'OnMouseUp', 'OnMouseMove', 'v9cY2TstwH', 'OrQUOydvAaBHWvGZxcC', 'xvqJCgdaE8Gew8pKqLt'
                Source: SOA.exe, jOcw6JmPGQJ1Op4MgIk/upR16imV0Ub45XOLm0P.csHigh entropy of concatenated method names: 'Lp7XxliPZE', 'fj0XZrpAnD', 'QNmXoFJphn', 'tB0XiVMJKf', 'cB4X6fcliK', 'stFXXcfNU3', 'CJ6X3iKDOX', 'wBYXl5fQ8n', 'B4kXD9ie7U', 'v91XeMIL40'
                Source: SOA.exe, cfZkO5muG9VhGCiLgkE/oogywymfve5jCjUanG0.csHigh entropy of concatenated method names: 'bVV6QQBY0i', 'RQK6qrB9OL', 'bX36j3wBBQ', 'lWI69Di6Cc', 'Y7y6c2WXW6', 'uRH6MrETaO', 'GEm6AilhAS', 'q4R6KAwrsO', 'aoe6FVn5Fk', 'vrC6UOs5JT'
                Source: SOA.exe, e9uP8Rm5xj5dZZyte1o/nc4EJTmjDut5Uf1oJQ4.csHigh entropy of concatenated method names: 'RQ66YnENTW', 'mnt6EVeXdx', 'aw0yFxlqkl', 'su6yUuNMoP', 'OLwyLsHSv5', 'yPGy5SNtVF', 'PSHykFDxrV', 'Wx4yNUiJcx', 'aoqyznUsnK', 'kuc6uTbhJh'
                Source: SOA.exe, NEJa5lmlLswK8QdaDcG/ViUWr4mOrwGdPx11X3V.csHigh entropy of concatenated method names: '.ctor', 'Dpxnqto5MY', 'M60nPRkOff', 'RQ9n9pZa4k', 'gFqnpQCmyn', 'PjNnMMPk5t', 'hwonhYwjY4', 'fccnK2uxah', 'Tvhnac7nMm', 'jXjnUKg4Xj'
                Source: SOA.exe, wNQcdHmbiBPUmdHCcYK/O6QaobmIaIZqkped1W2.csHigh entropy of concatenated method names: 'oJhnYthdpG', 'iaMnEmXyyN', 'OYfGiTuoVJ', 'QNVGy4nWxS', 'hE1GXgFebI', 'UrYGBhGmPM', 'r5LGlY6Yw7', 'PTiG7BYsMk', 'tMmGeLg1mi', 'scRGdxpK8n'
                Source: SOA.exe, Q2gJQAmYaYTgE6xYWXn/v7X9q7mJZ1NNJO8XJCC.csHigh entropy of concatenated method names: '.ctor', 'NLsGSexCPn', 'yv2GYaCdcI', 'zWAGWM2qUM', 'Fg0GI0aaEi', 'O8GGbOxeRu', 'plhGJwk5qG', 'QvfGwBKisM', 'nlxGRNGvRd', 'dldG1K2LdQ'
                Source: SOA.exe, OIKLUwrpPI7C95qAwx/eR2bB0c9qI3JnqSFVK.csHigh entropy of concatenated method names: 'qcAvCZbCsu', 'XinvtttZD1', '.ctor', 'dl4vTuMsPv', 'qXIvx34kJX', 'jNRvdwpaYk', 'OnMouseDown', 'OnMouseUp', 'OnMouseMove', 'zOZv07CHN2'
                Source: SOA.exe, VfkxxClmcFhxxlUuuj/K3p7ImOVL33DcnjMOJ.csHigh entropy of concatenated method names: 'cmevwQ6TmJ', 'wLivR1Ld3F', 'iFlvIfXVaW', 'm9bvfdurvL', 'IW0vGBGthB', 'pG9vnoLddD', 'ffPv2pqFn9', 'wfivoJGlmm', 'eyovrGITv2', 'cXbv8G5Rg8'
                Source: SOA.exe, zHseZZmaKeOmpgvhDCP/EdGJULmmp5MtUlnG8Ca.csHigh entropy of concatenated method names: '.ctor', 'u6UIEnXFvF', 'jpEII7yj8n', 'XY6Im2B1cC', 'TopInr41it', 'rq0I2PPqMh', 'l4tIikxES9', 'q3oI6gi1rt', 'BNGIBjqeT6', 'MvJIlOv7UW'
                Source: SOA.exe, Imq3E4moJGbSG4d1wb8/tWeA8nztroduFpmbP8.csHigh entropy of concatenated method names: '.ctor', 'OqsWMmX8JL', 'fUkWhVd39N', 'XypWKNwdQa', 'd6TWaeXkR9', 'AsnWUV2DFm', 'Yl6WsUhMqB', 'yLuW5Gr2mR', 'Dh4W4PeYgK', 'TE4WNjYA3g'
                Source: SOA.exe, hFiJ6axJ61DwUJ0n5h/Qc3afSe8I4js0voE2U.csHigh entropy of concatenated method names: '.ctor', 'OnHandleCreated', 'xloWdKPNwc', 'b3mW0XIu4A', 'l99WCxggt2', 'XmNWtHpyBl', 'lJ3WTtMpwE', 'KYhWxrnvkh', 'OnPaint', 'GrOWeSwqy4'
                Source: SOA.exe, uuff4aat6Ygi8QRQoVC/bMiIIaaEy30C3Jisaow.csHigh entropy of concatenated method names: 'QIEF0J3anf', 'HeNFgmjdqM', 'C6gFqQG6fc', 'bTeFPDRBIE', '.ctor', 'rLtFtEp4jf', 'Y4JFHP6OpB', 'OnPaint', 'tupFx4jydP', 'ji2FZSUl9a'
                Source: SOA.exe, NOFEUcarc3gAKo8VRwF/ekqQ6dacBW0nTWMQYss.csHigh entropy of concatenated method names: 'nS5FI1B7Jt', 'gGTFf1Hevm', '.ctor', 'JVAFJ6QKR8', 'lZxFw9A5HD', 'a5wFRDwifX', 'fUyF1cbsPc', 'SIgFr8ljr6', 'hrOF8781js', 'PJfFSFhkt7'
                Source: SOA.exe, yQVY4ualF3RYlv8caMw/hAf14saOsl4mbTd5Jjr.csHigh entropy of concatenated method names: 'vfbagOjTtx', 'iB3aCAMbbO', 'i4BaHikfcp', 'qUpaTLDKNm', 'y95aZWGNML', 'dEhaQOqq4c', 'Ea1aPgbEgb', 'E7Wajn9sD9', 'BVIapRRq2q', 'Q2SacsflAN'
                Source: SOA.exe, vcpYuCmyQOr5Immsp1i/g25LFdmUFK9044JdAjQ.csHigh entropy of concatenated method names: 'ekQiILdmCC', 'mi2ifqsIpW', 'SnFiEnk7YE', 'BD8iGJxpTc', 'XUbinMpfsd', 'rOYi2onOov', 'O7Biog7P8Z', 'd1biyfRKg7', 'qsQi6Bf8Li', 'xgUiBf5YxN'
                Source: SOA.exe, ep4slMmCGKq8NEa3Yjd/tcB4Him75txMTBHev97.csHigh entropy of concatenated method names: '.ctor', 'jBQoUCUi3D', 'KdWos8lfox', 'onno5G2qGW', 'FMto40XRjo', 'coVoNdm353', 'APNoOFToob', 'bOSiuaqLTS', 'IIRivNDVP5', 'sJaiJMRPMA'
                Source: SOA.exe, XtUmfGmZ6hQTyjfQ9Vo/cZcGEbmDvuTSZXdIiOv.csHigh entropy of concatenated method names: 'hN39g07ysr', 'ngD99bBhfC', 'cWDoHkXtGF', 'ElQoTtMqlH', '.ctor', 'qR9olgVq5b', 'Aajo7kfCvL', 'c1BoDDFe9L', 'rkKoeHbmTV', 'IDEoduWwYA'
                Source: SOA.exe, CVLxSVCKa2njVJ2LkY/bpPeyX7iRueTSCCTPf.csHigh entropy of concatenated method names: 'MRAbPs616U', 'phwbjBE7iu', 'vNVbpdISbE', 'KQFbcUc2Br', 'IoWbhVcHVf', 'nOCbAq3G5C', 'jCTbaPlTXK', 'yuDbFdBtu4', '.ctor', 'M8mbs5kc7B'
                Source: SOA.exe, JELoMXm6WkOr7TJCQjg/itCl3EmNip88NF1yedD.csHigh entropy of concatenated method names: '.ctor', 'q652NhhNds', 'YB22Otch9V', 'hsvouDRRDI', 'I9UovA286n', 'gMFoJN83Gg', 'h4howbl5Zt', 'IJVo1atJfK', 'Leuor5Pkol', 'etEoSvak0l'
                Source: SOA.exe, FEa4mUmtNWYywCYRNKe/vHuUosmECViKYGaMB6d.csHigh entropy of concatenated method names: 'OnCreateControl', '.ctor', 'w0J9J6W0qV', 'fwe9zR9YH0', 'KUV2b6PLeO', 'Kk02JlaDIo', 'TJu2R0njV5', 'DN021xatYo', 'wea28dNm2P', 'KCP2SKC4PW'
                Source: SOA.exe, CURrulmrL1K0yVaq6MD/PAGYVSmcCpjHLbe7WWI.csHigh entropy of concatenated method names: 'GaOVf8J8QK', 'yjYVmM2qAA', 'XxMVn4viuw', 'kJhVVEWvKi', 'SMGVomCCVS', 'kk7ViJ6BeE', 'XHGV6hJroW', 'PX1VX5KLmi', 'x9TV3of1uL', 'L5sVltMCqP'
                Source: SOA.exe, VYBIIkm2Srs515s1Pch/BtcjvLm05iJ9kdp8wol.csHigh entropy of concatenated method names: '.ctor', 'KVpm1P3c2u', 'dQFmrTUSm6', 'kC3m8wRCvQ', 'KxKmSF0V7L', 'y5MmY67XE8', 'LLpmEsnq98', 'EY4mGo8m4P', 'k3GmndqU3g', 'Ivnm2LHu8D'
                Source: SOA.exe, jvgaDPmwJZ0CDFrMM9O/J5baxHmFYX1tLQl12uy.csHigh entropy of concatenated method names: '.ctor', 'QMtf1OBPqS', 'ac6frrCUAl', 'fv9fSKn045', 'rSAfYAkmmv', 'am0fWDvTEL', 'DBDfIS67ol', 'Qyffmm3mrO', 'r3afGjZ9oK', 'dD3fVAPN0O'
                Source: SOA.exe, jAlxVJabhXSuTPv31IE/l3BrG5aIZhKPG27kgwJ.csHigh entropy of concatenated method names: '.ctor', 'OnCreateControl', 'cJpIoFLsxg', 'pfWIWnNt1J', 'r0ZKrySmbm', 'slBK8Nyyqm', 'a67M26Dqb2', 'pRAMoXpdDN', 'get_Text', 'set_Text'
                Source: SOA.exe, vAmoNaaYe89SPZFaRc7/aIafMZaJFeY9xUVApvJ.csHigh entropy of concatenated method names: '.ctor', 'mZvZpbgG3c', 'RxsZcGTxPX', 'VAsZh2WK9y', 'tNXZAXeYaI', 'Q6dZaedJfP', 'zCMZFbxvam', 'HVFZs59L47', 'hExZLB9x43', 'n8kZ4dQEAq'
                Source: SOA.exe, aGgaLNaKgAQrk5qYMGn/WpUvnwapvL1KyB3vcsK.csHigh entropy of concatenated method names: '.ctor', 'TlMZuUKUI4', 'yyKZvpDYsq', 'Pq2ZJJVuFN', 'dLpZwjNLhR', 'XwmZ1CWH9F', 'JP9ZrhIWjU', 'XrlZSUT2gL', 'Lo8ZYXi8yv', 'VbhZWnlcr4'
                Source: SOA.exe, UuWx9Ya2xA2AkZfALHx/RBsEhna0sYcMGsyoL7n.csHigh entropy of concatenated method names: '.ctor', 'KhDxmlUiF3', 'HS7xGu3OOo', 'lK5xVxIpVZ', 'G0Gx2MtGda', 'hXrxiEYodD', 'XU2xytklAO', 'rgoxXKx91s', 'DSVxB5YAin', 'dNBxldEx8s'
                Source: SOA.exe, Toaeahawj1f41EPS5sW/ju7R5faFDG2g8NMfBn6.csHigh entropy of concatenated method names: '.ctor', 'HvcTMh4XKB', 'DmNThWuJLB', 'JARTKVgFwW', 's7jTaelh6S', 'hdMTU2fakZ', 'ggNTsIMKA2', 'p0KT5lQKPg', 'U8BT4fCprL', 'Uw4TN391RR'
                Source: SOA.exe, irHS7Raay4ybH6asnMc/KNTEoYamulH880rfFiG.csHigh entropy of concatenated method names: 'B1GTgOhDGW', 'vcqTCZIswP', 'zNQTHCROb3', 'JC0TT5thjM', 'g4bTZ9vugn', 'qnETQtC8Dm', '.ctor', 'o1oTd756NO', 'nEaT0MMQC2', 'zc0ngxJoHMheA8lQreZ'
                Source: SOA.exe, MRXeP5mvdCMPcZgTQOu/qIGuwum160ZYmHt04cn.csHigh entropy of concatenated method names: 'OfUl1MvpIv', 'xWAlrRETX6', 'K7vlSjltNj', 'rhTlYB2thY', 'SGllWuLcHd', 'KXmlI1lPDL', 'wXFlvtoCgX', 'HrNlboqD6y', 'bhVlJbPKN5', 'dVqlwb1q6Y'
                Source: SOA.exe, sswPafmLDHl8YsTqQ9O/cYKoC2mG5mMsdLPJyN4.csHigh entropy of concatenated method names: 'H6k33DSqc5', 'QuV3lUJUqQ', 'a1r3DExSlv', 'lJJ3e1Yh4j', 'VMn30R0G1D', 'Cyk3gSvdwl', 'CjI3thtdc6', 'k1t3H3fmt2', 'Bov3E531CI', 'deb3Wdpj4p'
                Source: SOA.exe, R7sYdEmTTxROR35UAKW/wsC1OOmXailXP5X43G8.csHigh entropy of concatenated method names: 'al1BUOAeqB', 'P8IBsoA6V3', '.ctor', 'QeYBq57QeV', 'qkHBPpORV0', 'I7iBjgI2Ue', 'OnMouseDown', 'OnMouseMove', 'OnPaint', 'Jq3B91t10g'
                Source: SOA.exe, CXK03lmqOGUgT73c5jy/Mux8hum3o2jRY01Fjug.csHigh entropy of concatenated method names: '.ctor', 'Uf0ygyAupU', 'TOHyCMZam9', 'hMAyVEOPOr', 'i6Ey2aRK2r', 'JBuyiOq4nw', 'GlhyyNRDLp', 'myUyX6luAx', 'MWNyBmjhvu', 'jcVylZjMaL'
                Source: SOA.exe, rC9n3tmRjJl4ICl42CP/Pw85lJmgU4m6WIeuJ45.csHigh entropy of concatenated method names: '.ctor', 'mj5y8hfnCy', 'ieTySuhgLA', 'OnPaint', 'OnMouseDown', 'OnMouseUp', 'OnMouseMove', 'znAyr9IHbS', 'hTjtEWur9O3aZPvgVKp', 'PgearquIhmp2d2krZDx'
                Source: SOA.exe, pqjUw5mnSlQwwiCRLin/vbcm7VmBTm6DAAZdo32.csHigh entropy of concatenated method names: 'WvZicDGRHr', 'zwwiMRfKuu', 'ubtiLfGVc6', 'Hbti5Tjs6Q', '.ctor', 'MpLiAF60Cg', 'XkaiKglE4M', 'OnPaint', 's5tiFrYPr3', 'NahiU4Jb4c'
                Source: SOA.exe, vasgham4wcEneqZgRiA/YgEbQbmsGS5GPcPF4hs.csHigh entropy of concatenated method names: '.ctor', 'CFn0afqlVm', 'C3E0FHkj6D', 'GNqeTZO5Iq', 'ioYexAdZS9', 'l5GeQViBY5', 'xlCeqpEirE', 'CDmejpiB2x', 'krTe9aFBe1', 'Jr4ecg4FTb'
                Source: SOA.exe, FhaWHjmS7aDE1xETZUb/kQ9mFFmirEcZZp7yje1.csHigh entropy of concatenated method names: 'vN3B7ed5Pk', 'TcGBDi4tw9', '.ctor', 'zOYBy9aZwR', 'Ly9B6fmVOE', 'OnPaint', 'TB5BBkvQ7A', 'hLcB3W5FBr', 'OnMouseDown', 'OnMouseUp'
                Source: SOA.exe, Mx0ZEhmQUCLd7KetTwS/JphJyamWTZ8LPQOdotI.csHigh entropy of concatenated method names: 'VrnBwgVseg', 'TeEBR1gcAn', 'nwbBYSI1sb', 'aRYBE96TYI', 'kyZBrQA7D9', 'OhaB8EZCLO', '.ctor', 'OnPaint', 'OnHandleCreated', 'OnMouseDown'
                Source: SOA.exe, LRB3x8mAZqY4UGeKxD8/Y6ZU4mmkUmJGpTX9OmS.csHigh entropy of concatenated method names: 'kS0XabgMCj', 'BrfXFywaL4', 'saKXU9L8Qe', 'P44XsKpF05', 'NBCXLQktWN', 'OCjX52RiaG', 'l8JX4COjGZ', 'y8UXkRqlJ7', 'qKwXNxPfyp', 'Bn5XOPvlax'
                Source: SOA.exe, cRFjEMABVTTrSlu3lR/YLREBckxwrXcgX8paC.csHigh entropy of concatenated method names: 'D8LrmAvdPH', 'WUJrGp6fvJ', 'iZvrVxNBVX', 'Xdir2ESdtB', 'FEwriPxV1u', 'Hp0ryU0Fvm', 'reWrXT1GnR', 'pT1rBae6yX', '.ctor', 'Q6lrlemTrx'
                Source: SOA.exe, RQXmohPYi9ovVqoqIB/PuKrXCVVc7hivfWtyq.csHigh entropy of concatenated method names: '.ctor', 'iC1ruSW4Sg', 'Dispose', 'zPArvraEji', 'OjarbUt3qw', 'UlKrJsDRlp', 'BtNrw9CE7E', 'bwtrRdAVZw', 'hBn9n9awr8', 'MK19A9iLyA'
                Source: SOA.exe, NQc2LLnynA3OE81TRW/Vge11NB5eqWeNPTA9V.csHigh entropy of concatenated method names: 'uKYwoOpQir', 'zj6wiWh7CP', 'tU4w6uuRHE', 'rPkwXfZPP9', '.ctor', 'qj5w2wW87b', 'OnMouseDown', 'OnMouseUp', 'OnMouseMove', 'hkU6KDQCbx6DhiMIBQ9'
                Source: SOA.exe, mGsk2LysGl8bw24SZ6/J4sti3UmvML6cnKVl1.csHigh entropy of concatenated method names: 't2aJJwKdxE', 'fJuJwZI9T4', 'LMaJ15vW7h', 'PgeJrBS02h', 'I3xJS6GNT0', 'rjJJYcMRJR', 'vjfJWX98Z0', 'mPqJI37gVD', 'YtwJmcocDq', 'qBlJG5NmpR'
                Source: SOA.exe, Cq3QpsZQ2blS9SK5LK/pFqsyFDOuicieknmiP.csHigh entropy of concatenated method names: 'oytbYrMARP', 'OfRbE7mLZG', 'VXCbI19DxJ', 'uE3bfHcqcm', 'o5ObGn31mP', 'YjObnbnZ4h', 'EhJb2gE8Ft', 'xdfbo0jbak', 'gt1bBlYtHF', 'm6Hb3Seivf'
                Source: SOA.exe, h9j9KP6BWqd4PY1GKZ/Pq4UlhNGYXr97BDl94.csHigh entropy of concatenated method names: 'hZvv4da48Y', 'kgrvkbnmCo', 'IwJvNdemcI', 'RsfvOjBgT9', 'bPQvz1PTY0', 'JFXbuuapYK', 'O5ibvN7yH0', 'DcJbbMLcIv', 'ki7bJLLfr8', 'Q5XbwsMIEs'
                Source: SOA.exe, cidmi3Thw7whDBB9Z5/vb11phXqCLnrTPrt3n.csHigh entropy of concatenated method names: '.ctor', 'v82rKy7CWw', 'z1qra2DKun', 'ehZrUmppOD', 'BxmrsDfCkk', 'sD6r5XCrX8', 'HTpr4Vl5Iq', 'U9arNdCFRP', 'iRQrOTriNd', 'c1I8uAfFTP'
                Source: SOA.exe, oMjanFS6pTGT7arocH/RaMXVci91cbGmuMctp.csHigh entropy of concatenated method names: '.ctor', 'hN39g07ysr', 'ngD99bBhfC', 'bhorq1NCjw', 'zrirPJsvWV', 'NjFrHQuoS2', 'V84rTmqekH', 'C21rxfNdbP', 'kVIrZcJftT', 'iqArQWYmD3'
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeJump to dropped file
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLunJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLunJump to behavior

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion:

                barindex
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\Desktop\SOA.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1123Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8723Jump to behavior
                Source: C:\Users\user\Desktop\SOA.exe TID: 2416Thread sleep time: -41943s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SOA.exe TID: 3840Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe TID: 4880Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe TID: 5292Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\SOA.exeThread delayed: delay time: 41943Jump to behavior
                Source: C:\Users\user\Desktop\SOA.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: RegSvcs.exe, 00000006.00000002.480845235.0000000005F00000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: RegSvcs.exe, 00000006.00000002.480845235.0000000005F00000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: RegSvcs.exe, 00000006.00000002.480845235.0000000005F00000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: RegSvcs.exe, 00000006.00000002.481185884.0000000005FF0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: RegSvcs.exe, 00000006.00000002.480845235.0000000005F00000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0120A3B0 LdrInitializeThunk,6_2_0120A3B0
                Source: C:\Users\user\Desktop\SOA.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Injects a PE file into a foreign processesShow sources
                Source: C:\Users\user\Desktop\SOA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Modifies the hosts fileShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Writes to foreign memory regionsShow sources
                Source: C:\Users\user\Desktop\SOA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\SOA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                Source: C:\Users\user\Desktop\SOA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000Jump to behavior
                Source: C:\Users\user\Desktop\SOA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000Jump to behavior
                Source: C:\Users\user\Desktop\SOA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D59008Jump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                Source: RegSvcs.exe, 00000006.00000002.474101672.0000000001800000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: RegSvcs.exe, 00000006.00000002.474101672.0000000001800000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: RegSvcs.exe, 00000006.00000002.474101672.0000000001800000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: RegSvcs.exe, 00000006.00000002.474101672.0000000001800000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Users\user\Desktop\SOA.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06265594 GetUserNameW,6_2_06265594
                Source: C:\Users\user\Desktop\SOA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings:

                barindex
                Modifies the hosts fileShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                Stealing of Sensitive Information:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.470502607.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.470502607.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5076, type: MEMORYSTR
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Tries to harvest and steal ftp login credentialsShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                Tries to steal Mail credentials (via file access)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 00000006.00000002.474638569.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5076, type: MEMORYSTR

                Remote Access Functionality:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.470502607.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.470502607.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5076, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Process Injection212File and Directory Permissions Modification1OS Credential Dumping2Account Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Disable or Modify Tools1Credentials in Registry1System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information11Security Account ManagerQuery Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information31NTDSSecurity Software Discovery111Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing2LSA SecretsProcess Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsVirtualization/Sandbox Evasion131VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion131DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection212Proc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 458920 Sample: SOA.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected AgentTesla 2->49 51 5 other signatures 2->51 6 SOA.exe 3 2->6         started        10 NXLun.exe 2 2->10         started        12 NXLun.exe 1 2->12         started        process3 file4 25 C:\Users\user\AppData\Local\...\SOA.exe.log, ASCII 6->25 dropped 53 Writes to foreign memory regions 6->53 55 Injects a PE file into a foreign processes 6->55 14 RegSvcs.exe 2 4 6->14         started        19 RegSvcs.exe 6->19         started        21 conhost.exe 10->21         started        23 conhost.exe 12->23         started        signatures5 process6 dnsIp7 31 us2.smtp.mailhostbox.com 208.91.199.225, 49737, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->31 27 C:\Users\user\AppData\Roaming\...27XLun.exe, PE32 14->27 dropped 29 C:\Windows\System32\drivers\etc\hosts, ASCII 14->29 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 Tries to steal Mail credentials (via file access) 14->35 37 Tries to harvest and steal ftp login credentials 14->37 43 3 other signatures 14->43 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->39 41 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 19->41 file8 signatures9

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                SOA.exe57%VirustotalBrowse
                SOA.exe46%MetadefenderBrowse
                SOA.exe79%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                SOA.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\NXLun\NXLun.exe0%MetadefenderBrowse
                C:\Users\user\AppData\Roaming\NXLun\NXLun.exe0%ReversingLabs

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                6.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.ascendercorp.com/typedesigners.htmlX0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/lt0%VirustotalBrowse
                http://www.jiyu-kobo.co.jp/lt0%Avira URL Cloudsafe
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://www.founder.com.cn/cnQ0%Avira URL Cloudsafe
                http://www.sajatypeworks.com20%URL Reputationsafe
                http://UYWn7rRVbuma0uFbuM.com0%Avira URL Cloudsafe
                http://www.sakkal.comh)0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/960%Avira URL Cloudsafe
                http://crl.usertrust.co:d0%Avira URL Cloudsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/60%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/Y0fo?0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/-0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/)0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                http://www.founder.com.cn/cna0%URL Reputationsafe
                https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                http://www.sajatypeworks.coma0%URL Reputationsafe
                http://www.fontbureau.comtoTF?0%Avira URL Cloudsafe
                http://www.urwpp.de0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                http://www.fontbureau.comalsd0%URL Reputationsafe
                http://www.founder.com.cn/cnd0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htmo&0%Avira URL Cloudsafe
                https://static.hummingbird.me/anime/poster_images/000/010/716/large/0fd8df1b586e60a0b1591cd8555c072f0%Avira URL Cloudsafe
                http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                http://www.galapagosdesign.com/0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://www.fontbureau.comF0%URL Reputationsafe
                https://sectigo.com/CPS00%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/S0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/J0%URL Reputationsafe
                http://hFHvHh.com0%Avira URL Cloudsafe
                http://www.microsoft.0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/?0%URL Reputationsafe
                https://api.ipify.org%$0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/w0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.founder.com.cn/cn-0%URL Reputationsafe
                http://www.fontbureau.comcomF0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/het0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/jp/)0%Avira URL Cloudsafe
                http://www.ascendercorp.com/typedesigners.htmls0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/n0%URL Reputationsafe
                http://ocsp.sectigo.com0A0%URL Reputationsafe
                http://www.fontbureau.comalic0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                us2.smtp.mailhostbox.com
                		208.91.199.225
                		truefalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.ascendercorp.com/typedesigners.htmlXSOA.exe, 00000000.00000003.208185188.0000000005CC5000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/ltSOA.exe, 00000000.00000003.208235675.0000000005C85000.00000004.00000001.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://127.0.0.1:HTTP/1.1RegSvcs.exe, 00000006.00000002.474638569.0000000002DE1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://www.founder.com.cn/cnQSOA.exe, 00000000.00000003.205971735.0000000005C87000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.sajatypeworks.com2SOA.exe, 00000000.00000003.203304770.0000000005C83000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://us2.smtp.mailhostbox.comRegSvcs.exe, 00000006.00000002.477411883.0000000003145000.00000004.00000001.sdmpfalse
                    		high
                    http://UYWn7rRVbuma0uFbuM.comRegSvcs.exe, 00000006.00000002.477357343.000000000313B000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.474638569.0000000002DE1000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.477557900.0000000003170000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.477019431.0000000003104000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.477528047.0000000003168000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.com/designers/2SOA.exe, 00000000.00000003.208816372.0000000005CBE000.00000004.00000001.sdmpfalse
                      		high
                      http://www.sakkal.comh)SOA.exe, 00000000.00000003.208235675.0000000005C85000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.jiyu-kobo.co.jp/96SOA.exe, 00000000.00000003.207983894.0000000005C85000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crl.usertrust.co:dRegSvcs.exe, 00000006.00000002.481185884.0000000005FF0000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.sajatypeworks.comSOA.exe, 00000000.00000003.203304770.0000000005C83000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/6SOA.exe, 00000000.00000003.207983894.0000000005C85000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/Y0fo?SOA.exe, 00000000.00000003.207813723.0000000005C85000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/-SOA.exe, 00000000.00000003.207983894.0000000005C85000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/)SOA.exe, 00000000.00000003.208235675.0000000005C85000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/Y0SOA.exe, 00000000.00000003.208235675.0000000005C85000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cnaSOA.exe, 00000000.00000003.206465425.0000000005C88000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.ipify.org%GETMozilla/5.0RegSvcs.exe, 00000006.00000002.474638569.0000000002DE1000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		low
                      http://www.fonts.comSOA.exe, 00000000.00000003.203772301.0000000005C9B000.00000004.00000001.sdmpfalse
                        		high
                        http://www.sajatypeworks.comaSOA.exe, 00000000.00000003.203304770.0000000005C83000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comtoTF?SOA.exe, 00000000.00000003.210227911.0000000005C87000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.urwpp.deSOA.exe, 00000000.00000003.209903673.0000000005C85000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipRegSvcs.exe, 00000006.00000002.470502607.0000000000402000.00000040.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comalsdSOA.exe, 00000000.00000003.210227911.0000000005C87000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cndSOA.exe, 00000000.00000003.205513278.0000000005C8E000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/staff/dennis.htmo&SOA.exe, 00000000.00000003.210853280.0000000005C93000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://static.hummingbird.me/anime/poster_images/000/010/716/large/0fd8df1b586e60a0b1591cd8555c072fSOA.exefalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#RegSvcs.exe, 00000006.00000002.477411883.0000000003145000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comSOA.exe, 00000000.00000003.209903673.0000000005C85000.00000004.00000001.sdmpfalse
                          		high
                          http://www.galapagosdesign.com/SOA.exe, 00000000.00000003.210853280.0000000005C93000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://DynDns.comDynDNSRegSvcs.exe, 00000006.00000002.474638569.0000000002DE1000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comFSOA.exe, 00000000.00000003.210227911.0000000005C87000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://sectigo.com/CPS0RegSvcs.exe, 00000006.00000002.477411883.0000000003145000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/SSOA.exe, 00000000.00000003.207983894.0000000005C85000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegSvcs.exe, 00000006.00000002.474638569.0000000002DE1000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/JSOA.exe, 00000000.00000003.207983894.0000000005C85000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://hFHvHh.comRegSvcs.exe, 00000006.00000002.474638569.0000000002DE1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.microsoft.SOA.exe, 00000000.00000003.206465425.0000000005C88000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-jones.htmlTSOA.exe, 00000000.00000003.209222976.0000000005C99000.00000004.00000001.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/jp/SOA.exe, 00000000.00000003.207983894.0000000005C85000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/?SOA.exe, 00000000.00000003.207983894.0000000005C85000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://api.ipify.org%$RegSvcs.exe, 00000006.00000002.474638569.0000000002DE1000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		low
                            http://www.jiyu-kobo.co.jp/wSOA.exe, 00000000.00000003.207983894.0000000005C85000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cnSOA.exe, 00000000.00000003.206465425.0000000005C88000.00000004.00000001.sdmp, SOA.exe, 00000000.00000003.205971735.0000000005C87000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn-SOA.exe, 00000000.00000003.205971735.0000000005C87000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/sSOA.exe, 00000000.00000003.207983894.0000000005C85000.00000004.00000001.sdmpfalse
                              		unknown
                              http://www.fontbureau.comcomFSOA.exe, 00000000.00000003.209903673.0000000005C85000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/hetSOA.exe, 00000000.00000003.207813723.0000000005C85000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/jp/)SOA.exe, 00000000.00000003.207813723.0000000005C85000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.ascendercorp.com/typedesigners.htmlsSOA.exe, 00000000.00000003.208146385.0000000005C85000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/SOA.exe, 00000000.00000003.208235675.0000000005C85000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/nSOA.exe, 00000000.00000003.207983894.0000000005C85000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://ocsp.sectigo.com0ARegSvcs.exe, 00000006.00000002.477411883.0000000003145000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.comalicSOA.exe, 00000000.00000003.209903673.0000000005C85000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://i.imgur.com/blkrqBo.gifiThisSOA.exefalse
                                		high

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                208.91.199.225
                                		us2.smtp.mailhostbox.comUnited States
                                		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                                General Information

                                Joe Sandbox Version:33.0.0 White Diamond
                                Analysis ID:458920
                                Start date:03.08.2021
                                Start time:21:30:20
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 8m 32s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Sample file name:SOA.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:31
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.adwa.spyw.evad.winEXE@9/6@1/1
                                EGA Information:Failed
                                HDC Information:
                                • Successful, ratio: 0.4% (good quality ratio 0.4%)
                                • Quality average: 100%
                                • Quality standard deviation: 0%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 96
                                • Number of non-executed functions: 3
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe
                                Warnings:
                                Show All
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                • Excluded IPs from analysis (whitelisted): 104.43.139.144, 13.64.90.137, 23.211.6.115, 20.82.209.183, 23.35.236.56, 173.222.108.210, 173.222.108.226, 40.112.88.60, 80.67.82.235, 80.67.82.211
                                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                21:31:27API Interceptor1x Sleep call for process: SOA.exe modified
                                21:31:41API Interceptor663x Sleep call for process: RegSvcs.exe modified
                                21:31:53AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NXLun C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                21:32:01AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NXLun C:\Users\user\AppData\Roaming\NXLun\NXLun.exe

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                208.91.199.2252y6ArAJdV8xhjVU.exeGet hashmaliciousBrowse
                                  MFS0175, MFS0117 MFS0194.exeGet hashmaliciousBrowse
                                    MJLkaPZomUolseU.exeGet hashmaliciousBrowse
                                      Scan#0068-46c3367.exeGet hashmaliciousBrowse
                                        Quotation.exeGet hashmaliciousBrowse
                                          PURCHASE ORDER PO09377 _093640_9307355_264378_88479_0E974.exeGet hashmaliciousBrowse
                                            Waybill Doc_027942941.exeGet hashmaliciousBrowse
                                              Remittance Advise.docGet hashmaliciousBrowse
                                                PO 98246.exeGet hashmaliciousBrowse
                                                  DHL JULY STATEMENT OF ACCOUNT.exeGet hashmaliciousBrowse
                                                    DOCS.exeGet hashmaliciousBrowse
                                                      SecuriteInfo.com.Variant.Zusy.394472.4088.exeGet hashmaliciousBrowse
                                                        ORDER SKYMET 847759 REVISED PDF.exeGet hashmaliciousBrowse
                                                          Aditi Tiwari Resume.pdf.exeGet hashmaliciousBrowse
                                                            SecuriteInfo.com.W32.AIDetect.malware1.17748.exeGet hashmaliciousBrowse
                                                              NEW RFQ FROM WEB AFRITECH.docGet hashmaliciousBrowse
                                                                Paiement de facture.docGet hashmaliciousBrowse
                                                                  8pOKNeu63F.exeGet hashmaliciousBrowse
                                                                    RFQ-20211307_Tiles Blue Limestone, terminal box fiber optics.docGet hashmaliciousBrowse
                                                                      ok1.exeGet hashmaliciousBrowse

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        us2.smtp.mailhostbox.com2y6ArAJdV8xhjVU.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.225
                                                                        MFS0175, MFS0117 MFS0194.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.223
                                                                        Purchase Order No.48743310321-RCN.pdf.exeGet hashmaliciousBrowse
                                                                        • 208.91.198.143
                                                                        SOA.exeGet hashmaliciousBrowse
                                                                        • 208.91.198.143
                                                                        MJLkaPZomUolseU.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.225
                                                                        SecuriteInfo.com.Trojan.MSIL.Kryptik.56a80396.11710.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.224
                                                                        Invoice.exeGet hashmaliciousBrowse
                                                                        • 208.91.198.143
                                                                        Scan#0068-46c3367.exeGet hashmaliciousBrowse
                                                                        • 208.91.198.143
                                                                        Scan#0068-46c3366.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.223
                                                                        IMG-20210802-WA0587-085.exeGet hashmaliciousBrowse
                                                                        • 208.91.198.143
                                                                        IMG-20210802-WA0587-087.exeGet hashmaliciousBrowse
                                                                        • 208.91.198.143
                                                                        Quotation.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.225
                                                                        PURCHASE ORDER PO09377 _093640_9307355_264378_88479_0E974.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.225
                                                                        order.PDF.exeGet hashmaliciousBrowse
                                                                        • 208.91.198.143
                                                                        RFQ #7696679TTR6F.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.224
                                                                        Waybill Doc_027942941.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.225
                                                                        Confirmaci#U00f3n de pago .exeGet hashmaliciousBrowse
                                                                        • 208.91.199.224
                                                                        oBNvb4c6bg.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.224
                                                                        TVz86np48Z.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.223
                                                                        Current Vendor Payment Application .docGet hashmaliciousBrowse
                                                                        • 208.91.199.224

                                                                        ASN

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        PUBLIC-DOMAIN-REGISTRYUS2y6ArAJdV8xhjVU.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.225
                                                                        MFS0175, MFS0117 MFS0194.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.223
                                                                        Purchase Order No.48743310321-RCN.pdf.exeGet hashmaliciousBrowse
                                                                        • 208.91.198.143
                                                                        SOA.exeGet hashmaliciousBrowse
                                                                        • 208.91.198.143
                                                                        QUOTATION LIST FOR NEW ORDER.exeGet hashmaliciousBrowse
                                                                        • 204.11.58.233
                                                                        MJLkaPZomUolseU.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.225
                                                                        SecuriteInfo.com.Trojan.MSIL.Kryptik.56a80396.11710.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.224
                                                                        Invoice.exeGet hashmaliciousBrowse
                                                                        • 208.91.198.143
                                                                        Scan#0068-46c3367.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.224
                                                                        Scan#0068-46c3366.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.223
                                                                        bin.exeGet hashmaliciousBrowse
                                                                        • 119.18.54.122
                                                                        IMG-20210802-WA0587-085.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.224
                                                                        IMG-20210802-WA0587-087.exeGet hashmaliciousBrowse
                                                                        • 208.91.198.143
                                                                        Quotation.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.224
                                                                        QUOTE 04202021.exeGet hashmaliciousBrowse
                                                                        • 103.21.58.16
                                                                        PURCHASE ORDER PO09377 _093640_9307355_264378_88479_0E974.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.225
                                                                        order.PDF.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.223
                                                                        RFQ #7696679TTR6F.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.224
                                                                        Waybill Doc_027942941.exeGet hashmaliciousBrowse
                                                                        • 208.91.199.225
                                                                        Confirmaci#U00f3n de pago .exeGet hashmaliciousBrowse
                                                                        • 208.91.199.224

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        C:\Users\user\AppData\Roaming\NXLun\NXLun.exePOSH service quotation.exeGet hashmaliciousBrowse
                                                                          SOA.exeGet hashmaliciousBrowse
                                                                            epda.exeGet hashmaliciousBrowse
                                                                              POSH service quotation..exeGet hashmaliciousBrowse
                                                                                SWIFT REF GO 20210730SFT21020137.exeGet hashmaliciousBrowse
                                                                                  HJKcEjrUuzYMV9X.exeGet hashmaliciousBrowse
                                                                                    est pda.exeGet hashmaliciousBrowse
                                                                                      BL COPY.exeGet hashmaliciousBrowse
                                                                                        DOC.exeGet hashmaliciousBrowse
                                                                                          statement.exeGet hashmaliciousBrowse
                                                                                            PO-K-128 IAN 340854.exeGet hashmaliciousBrowse
                                                                                              PO#4500484210.exeGet hashmaliciousBrowse
                                                                                                Invoice no SS21-22185.exeGet hashmaliciousBrowse
                                                                                                  SQycD6hL4Y.exeGet hashmaliciousBrowse
                                                                                                    Aggiornamento ordine Quantit#U00e0__BFM Srl 117-28050-01.exeGet hashmaliciousBrowse
                                                                                                      PAYMENT INSTRUCTIONS COPY.exeGet hashmaliciousBrowse
                                                                                                        FINAL SHIPPING DOC..exeGet hashmaliciousBrowse
                                                                                                          Spare Parts Requisition-003,004.exeGet hashmaliciousBrowse
                                                                                                            PO NOAB1088 ALEMO INDUSTRIAL ENGINEERS.exeGet hashmaliciousBrowse
                                                                                                              Order List.exeGet hashmaliciousBrowse

                                                                                                                Created / dropped Files

                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NXLun.exe.log
                                                                                                                Process:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                Category:modified
                                                                                                                Size (bytes):142
                                                                                                                Entropy (8bit):5.090621108356562
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                                                                MD5:8C0458BB9EA02D50565175E38D577E35
                                                                                                                SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                                                                SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                                                                SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                                                                Malicious:false
                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SOA.exe.log
                                                                                                                Process:C:\Users\user\Desktop\SOA.exe
                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1314
                                                                                                                Entropy (8bit):5.350128552078965
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                                                                MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                                                                SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                                                                SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                                                                SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                                                                Malicious:true
                                                                                                                Reputation:high, very likely benign file
                                                                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                                                                C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):45152
                                                                                                                Entropy (8bit):6.149629800481177
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
                                                                                                                MD5:2867A3817C9245F7CF518524DFD18F28
                                                                                                                SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                                                                                                SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                                                                                                SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                                                                                                Malicious:true
                                                                                                                Antivirus:
                                                                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Joe Sandbox View:
                                                                                                                • Filename: POSH service quotation.exe, Detection: malicious, Browse
                                                                                                                • Filename: SOA.exe, Detection: malicious, Browse
                                                                                                                • Filename: epda.exe, Detection: malicious, Browse
                                                                                                                • Filename: POSH service quotation..exe, Detection: malicious, Browse
                                                                                                                • Filename: SWIFT REF GO 20210730SFT21020137.exe, Detection: malicious, Browse
                                                                                                                • Filename: HJKcEjrUuzYMV9X.exe, Detection: malicious, Browse
                                                                                                                • Filename: est pda.exe, Detection: malicious, Browse
                                                                                                                • Filename: BL COPY.exe, Detection: malicious, Browse
                                                                                                                • Filename: DOC.exe, Detection: malicious, Browse
                                                                                                                • Filename: statement.exe, Detection: malicious, Browse
                                                                                                                • Filename: PO-K-128 IAN 340854.exe, Detection: malicious, Browse
                                                                                                                • Filename: PO#4500484210.exe, Detection: malicious, Browse
                                                                                                                • Filename: Invoice no SS21-22185.exe, Detection: malicious, Browse
                                                                                                                • Filename: SQycD6hL4Y.exe, Detection: malicious, Browse
                                                                                                                • Filename: Aggiornamento ordine Quantit#U00e0__BFM Srl 117-28050-01.exe, Detection: malicious, Browse
                                                                                                                • Filename: PAYMENT INSTRUCTIONS COPY.exe, Detection: malicious, Browse
                                                                                                                • Filename: FINAL SHIPPING DOC..exe, Detection: malicious, Browse
                                                                                                                • Filename: Spare Parts Requisition-003,004.exe, Detection: malicious, Browse
                                                                                                                • Filename: PO NOAB1088 ALEMO INDUSTRIAL ENGINEERS.exe, Detection: malicious, Browse
                                                                                                                • Filename: Order List.exe, Detection: malicious, Browse
                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
                                                                                                                C:\Windows\System32\drivers\etc\hosts
                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                Category:modified
                                                                                                                Size (bytes):11
                                                                                                                Entropy (8bit):2.663532754804255
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:iLE:iLE
                                                                                                                MD5:B24D295C1F84ECBFB566103374FB91C5
                                                                                                                SHA1:6A750D3F8B45C240637332071D34B403FA1FF55A
                                                                                                                SHA-256:4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
                                                                                                                SHA-512:9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA
                                                                                                                Malicious:true
                                                                                                                Preview: ..127.0.0.1
                                                                                                                \Device\ConDrv
                                                                                                                Process:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1141
                                                                                                                Entropy (8bit):4.44831826838854
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
                                                                                                                MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
                                                                                                                SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
                                                                                                                SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
                                                                                                                SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
                                                                                                                Malicious:false
                                                                                                                Preview: Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                                                                                Static File Info

                                                                                                                General

                                                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                Entropy (8bit):6.923028175424685
                                                                                                                TrID:
                                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                File name:SOA.exe
                                                                                                                File size:1148416
                                                                                                                MD5:170f199a743cc527f5f222594ae66559
                                                                                                                SHA1:5de323016e6f72653d7350ba45dfc73a208a580a
                                                                                                                SHA256:2b4fef6d86dbcf4905dc110ed199516a9162266d69486d0aa14c26b71c8072db
                                                                                                                SHA512:52be5ddb65347a1f8b338d58880fe2784f775155e1997ba1ffd0e36ebd3542d0893b8bbfe5c5b8b77372d878316a0aa013545c1dcba7e06dadebc23895b9d9ba
                                                                                                                SSDEEP:24576:5ka1zC/d3874JaKQEObus7lKW2rXa491ZQzoo:5kql4JaKhouswXq4DZ5
                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................|............... ........@.. ....................................@................................

                                                                                                                File Icon

                                                                                                                Icon Hash:00828e8e8686b000

                                                                                                                Static PE Info

                                                                                                                General

                                                                                                                Entrypoint:0x519bde
                                                                                                                Entrypoint Section:.text
                                                                                                                Digitally signed:false
                                                                                                                Imagebase:0x400000
                                                                                                                Subsystem:windows gui
                                                                                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                Time Stamp:0x6101F7DF [Thu Jul 29 00:35:43 2021 UTC]
                                                                                                                TLS Callbacks:
                                                                                                                CLR (.Net) Version:v4.0.30319
                                                                                                                OS Version Major:4
                                                                                                                OS Version Minor:0
                                                                                                                File Version Major:4
                                                                                                                File Version Minor:0
                                                                                                                Subsystem Version Major:4
                                                                                                                Subsystem Version Minor:0
                                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                Entrypoint Preview

                                                                                                                Instruction
                                                                                                                jmp dword ptr [00402000h]
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al

                                                                                                                Data Directories

                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x119b900x4b.text
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x11a0000x5cc.rsrc
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x11c0000xc.reloc
                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                Sections

                                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                .text0x20000x117be40x117c00False0.622195110031data6.92815557237IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                .rsrc0x11a0000x5cc0x600False0.430989583333data4.1324919287IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                .reloc0x11c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                Resources

                                                                                                                NameRVASizeTypeLanguageCountry
                                                                                                                RT_VERSION0x11a0a00x340data
                                                                                                                RT_MANIFEST0x11a3e00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                                Imports

                                                                                                                DLLImport
                                                                                                                mscoree.dll_CorExeMain

                                                                                                                Version Infos

                                                                                                                DescriptionData
                                                                                                                Translation0x0000 0x04b0
                                                                                                                LegalCopyrightCopyright Microsoft 2014
                                                                                                                Assembly Version1.0.0.0
                                                                                                                InternalNameValueTup.exe
                                                                                                                FileVersion1.0.0.0
                                                                                                                CompanyNameMicrosoft
                                                                                                                LegalTrademarks
                                                                                                                Comments
                                                                                                                ProductNameQManager
                                                                                                                ProductVersion1.0.0.0
                                                                                                                FileDescriptionQManager
                                                                                                                OriginalFilenameValueTup.exe

                                                                                                                Network Behavior

                                                                                                                Network Port Distribution

                                                                                                                TCP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Aug 3, 2021 21:33:12.200417042 CEST49737587192.168.2.3208.91.199.225
                                                                                                                Aug 3, 2021 21:33:12.349888086 CEST58749737208.91.199.225192.168.2.3
                                                                                                                Aug 3, 2021 21:33:12.350032091 CEST49737587192.168.2.3208.91.199.225
                                                                                                                Aug 3, 2021 21:33:12.590347052 CEST58749737208.91.199.225192.168.2.3
                                                                                                                Aug 3, 2021 21:33:12.590908051 CEST49737587192.168.2.3208.91.199.225
                                                                                                                Aug 3, 2021 21:33:12.741451979 CEST58749737208.91.199.225192.168.2.3
                                                                                                                Aug 3, 2021 21:33:12.741486073 CEST58749737208.91.199.225192.168.2.3
                                                                                                                Aug 3, 2021 21:33:12.742101908 CEST49737587192.168.2.3208.91.199.225
                                                                                                                Aug 3, 2021 21:33:12.894557953 CEST58749737208.91.199.225192.168.2.3
                                                                                                                Aug 3, 2021 21:33:12.940715075 CEST49737587192.168.2.3208.91.199.225
                                                                                                                Aug 3, 2021 21:33:12.962893009 CEST49737587192.168.2.3208.91.199.225
                                                                                                                Aug 3, 2021 21:33:13.112855911 CEST58749737208.91.199.225192.168.2.3
                                                                                                                Aug 3, 2021 21:33:13.112925053 CEST58749737208.91.199.225192.168.2.3
                                                                                                                Aug 3, 2021 21:33:13.112981081 CEST58749737208.91.199.225192.168.2.3
                                                                                                                Aug 3, 2021 21:33:13.113044024 CEST58749737208.91.199.225192.168.2.3
                                                                                                                Aug 3, 2021 21:33:13.113097906 CEST58749737208.91.199.225192.168.2.3
                                                                                                                Aug 3, 2021 21:33:13.113224983 CEST49737587192.168.2.3208.91.199.225
                                                                                                                Aug 3, 2021 21:33:13.159492970 CEST49737587192.168.2.3208.91.199.225
                                                                                                                Aug 3, 2021 21:33:13.262850046 CEST58749737208.91.199.225192.168.2.3
                                                                                                                Aug 3, 2021 21:33:13.272418022 CEST49737587192.168.2.3208.91.199.225
                                                                                                                Aug 3, 2021 21:33:13.427648067 CEST58749737208.91.199.225192.168.2.3
                                                                                                                Aug 3, 2021 21:33:13.444448948 CEST49737587192.168.2.3208.91.199.225
                                                                                                                Aug 3, 2021 21:33:13.595277071 CEST58749737208.91.199.225192.168.2.3
                                                                                                                Aug 3, 2021 21:33:13.598299026 CEST49737587192.168.2.3208.91.199.225
                                                                                                                Aug 3, 2021 21:33:13.748820066 CEST58749737208.91.199.225192.168.2.3
                                                                                                                Aug 3, 2021 21:33:13.749478102 CEST49737587192.168.2.3208.91.199.225
                                                                                                                Aug 3, 2021 21:33:13.901453972 CEST58749737208.91.199.225192.168.2.3
                                                                                                                Aug 3, 2021 21:33:13.902399063 CEST49737587192.168.2.3208.91.199.225
                                                                                                                Aug 3, 2021 21:33:14.053003073 CEST58749737208.91.199.225192.168.2.3
                                                                                                                Aug 3, 2021 21:33:14.053400040 CEST49737587192.168.2.3208.91.199.225
                                                                                                                Aug 3, 2021 21:33:14.214595079 CEST58749737208.91.199.225192.168.2.3
                                                                                                                Aug 3, 2021 21:33:14.215018034 CEST49737587192.168.2.3208.91.199.225
                                                                                                                Aug 3, 2021 21:33:14.366292953 CEST58749737208.91.199.225192.168.2.3
                                                                                                                Aug 3, 2021 21:33:14.367492914 CEST49737587192.168.2.3208.91.199.225
                                                                                                                Aug 3, 2021 21:33:14.367629051 CEST49737587192.168.2.3208.91.199.225
                                                                                                                Aug 3, 2021 21:33:14.368592978 CEST49737587192.168.2.3208.91.199.225
                                                                                                                Aug 3, 2021 21:33:14.368654013 CEST49737587192.168.2.3208.91.199.225
                                                                                                                Aug 3, 2021 21:33:14.517153978 CEST58749737208.91.199.225192.168.2.3
                                                                                                                Aug 3, 2021 21:33:14.518768072 CEST58749737208.91.199.225192.168.2.3
                                                                                                                Aug 3, 2021 21:33:14.622889042 CEST58749737208.91.199.225192.168.2.3
                                                                                                                Aug 3, 2021 21:33:14.675271988 CEST49737587192.168.2.3208.91.199.225

                                                                                                                UDP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Aug 3, 2021 21:31:00.840275049 CEST6493853192.168.2.38.8.8.8
                                                                                                                Aug 3, 2021 21:31:00.873049021 CEST53649388.8.8.8192.168.2.3
                                                                                                                Aug 3, 2021 21:31:01.648380041 CEST6015253192.168.2.38.8.8.8
                                                                                                                Aug 3, 2021 21:31:01.675194025 CEST53601528.8.8.8192.168.2.3
                                                                                                                Aug 3, 2021 21:31:02.301018953 CEST5754453192.168.2.38.8.8.8
                                                                                                                Aug 3, 2021 21:31:02.343997955 CEST53575448.8.8.8192.168.2.3
                                                                                                                Aug 3, 2021 21:31:02.607445002 CEST5598453192.168.2.38.8.8.8
                                                                                                                Aug 3, 2021 21:31:02.632257938 CEST53559848.8.8.8192.168.2.3
                                                                                                                Aug 3, 2021 21:31:03.422261953 CEST6418553192.168.2.38.8.8.8
                                                                                                                Aug 3, 2021 21:31:03.449270010 CEST53641858.8.8.8192.168.2.3
                                                                                                                Aug 3, 2021 21:31:04.331245899 CEST6511053192.168.2.38.8.8.8
                                                                                                                Aug 3, 2021 21:31:04.356158018 CEST53651108.8.8.8192.168.2.3
                                                                                                                Aug 3, 2021 21:31:05.724580050 CEST5836153192.168.2.38.8.8.8
                                                                                                                Aug 3, 2021 21:31:05.749425888 CEST53583618.8.8.8192.168.2.3
                                                                                                                Aug 3, 2021 21:31:06.519936085 CEST6349253192.168.2.38.8.8.8
                                                                                                                Aug 3, 2021 21:31:06.546538115 CEST53634928.8.8.8192.168.2.3
                                                                                                                Aug 3, 2021 21:31:07.545828104 CEST6083153192.168.2.38.8.8.8
                                                                                                                Aug 3, 2021 21:31:07.571017027 CEST53608318.8.8.8192.168.2.3
                                                                                                                Aug 3, 2021 21:31:08.549725056 CEST6010053192.168.2.38.8.8.8
                                                                                                                Aug 3, 2021 21:31:08.582407951 CEST53601008.8.8.8192.168.2.3
                                                                                                                Aug 3, 2021 21:31:09.613878012 CEST5319553192.168.2.38.8.8.8
                                                                                                                Aug 3, 2021 21:31:09.646864891 CEST53531958.8.8.8192.168.2.3
                                                                                                                Aug 3, 2021 21:31:10.418324947 CEST5014153192.168.2.38.8.8.8
                                                                                                                Aug 3, 2021 21:31:10.453676939 CEST53501418.8.8.8192.168.2.3
                                                                                                                Aug 3, 2021 21:31:11.417495966 CEST5302353192.168.2.38.8.8.8
                                                                                                                Aug 3, 2021 21:31:11.445055962 CEST53530238.8.8.8192.168.2.3
                                                                                                                Aug 3, 2021 21:31:12.266757011 CEST4956353192.168.2.38.8.8.8
                                                                                                                Aug 3, 2021 21:31:12.294178963 CEST53495638.8.8.8192.168.2.3
                                                                                                                Aug 3, 2021 21:31:13.364875078 CEST5135253192.168.2.38.8.8.8
                                                                                                                Aug 3, 2021 21:31:13.392333031 CEST53513528.8.8.8192.168.2.3
                                                                                                                Aug 3, 2021 21:31:15.409547091 CEST5934953192.168.2.38.8.8.8
                                                                                                                Aug 3, 2021 21:31:15.435524940 CEST53593498.8.8.8192.168.2.3
                                                                                                                Aug 3, 2021 21:31:16.394052029 CEST5708453192.168.2.38.8.8.8
                                                                                                                Aug 3, 2021 21:31:16.419142008 CEST53570848.8.8.8192.168.2.3
                                                                                                                Aug 3, 2021 21:31:19.433769941 CEST5882353192.168.2.38.8.8.8
                                                                                                                Aug 3, 2021 21:31:19.469783068 CEST53588238.8.8.8192.168.2.3
                                                                                                                Aug 3, 2021 21:31:36.226301908 CEST5756853192.168.2.38.8.8.8
                                                                                                                Aug 3, 2021 21:31:36.261946917 CEST53575688.8.8.8192.168.2.3
                                                                                                                Aug 3, 2021 21:31:37.026783943 CEST5054053192.168.2.38.8.8.8
                                                                                                                Aug 3, 2021 21:31:37.064013004 CEST53505408.8.8.8192.168.2.3
                                                                                                                Aug 3, 2021 21:31:55.209240913 CEST5436653192.168.2.38.8.8.8
                                                                                                                Aug 3, 2021 21:31:55.241535902 CEST53543668.8.8.8192.168.2.3
                                                                                                                Aug 3, 2021 21:31:57.933454990 CEST5303453192.168.2.38.8.8.8
                                                                                                                Aug 3, 2021 21:31:57.980984926 CEST53530348.8.8.8192.168.2.3
                                                                                                                Aug 3, 2021 21:32:11.811569929 CEST5776253192.168.2.38.8.8.8
                                                                                                                Aug 3, 2021 21:32:11.856832981 CEST53577628.8.8.8192.168.2.3
                                                                                                                Aug 3, 2021 21:32:19.099921942 CEST5543553192.168.2.38.8.8.8
                                                                                                                Aug 3, 2021 21:32:19.137240887 CEST53554358.8.8.8192.168.2.3
                                                                                                                Aug 3, 2021 21:32:46.850687981 CEST5071353192.168.2.38.8.8.8
                                                                                                                Aug 3, 2021 21:32:46.900109053 CEST53507138.8.8.8192.168.2.3
                                                                                                                Aug 3, 2021 21:32:48.469444990 CEST5613253192.168.2.38.8.8.8
                                                                                                                Aug 3, 2021 21:32:48.503588915 CEST53561328.8.8.8192.168.2.3
                                                                                                                Aug 3, 2021 21:33:12.043564081 CEST5898753192.168.2.38.8.8.8
                                                                                                                Aug 3, 2021 21:33:12.079096079 CEST53589878.8.8.8192.168.2.3

                                                                                                                DNS Queries

                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                Aug 3, 2021 21:33:12.043564081 CEST192.168.2.38.8.8.80xda9Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)

                                                                                                                DNS Answers

                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                Aug 3, 2021 21:33:12.079096079 CEST8.8.8.8192.168.2.30xda9No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                                                Aug 3, 2021 21:33:12.079096079 CEST8.8.8.8192.168.2.30xda9No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                                                Aug 3, 2021 21:33:12.079096079 CEST8.8.8.8192.168.2.30xda9No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                                                Aug 3, 2021 21:33:12.079096079 CEST8.8.8.8192.168.2.30xda9No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)

                                                                                                                SMTP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                Aug 3, 2021 21:33:12.590347052 CEST58749737208.91.199.225192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                                Aug 3, 2021 21:33:12.590908051 CEST49737587192.168.2.3208.91.199.225EHLO 887849
                                                                                                                Aug 3, 2021 21:33:12.741486073 CEST58749737208.91.199.225192.168.2.3250-us2.outbound.mailhostbox.com
                                                                                                                250-PIPELINING
                                                                                                                250-SIZE 41648128
                                                                                                                250-VRFY
                                                                                                                250-ETRN
                                                                                                                250-STARTTLS
                                                                                                                250-AUTH PLAIN LOGIN
                                                                                                                250-AUTH=PLAIN LOGIN
                                                                                                                250-ENHANCEDSTATUSCODES
                                                                                                                250-8BITMIME
                                                                                                                250 DSN
                                                                                                                Aug 3, 2021 21:33:12.742101908 CEST49737587192.168.2.3208.91.199.225STARTTLS
                                                                                                                Aug 3, 2021 21:33:12.894557953 CEST58749737208.91.199.225192.168.2.3220 2.0.0 Ready to start TLS

                                                                                                                Code Manipulations

                                                                                                                Statistics

                                                                                                                CPU Usage

                                                                                                                Click to jump to process

                                                                                                                Memory Usage

                                                                                                                Click to jump to process

                                                                                                                High Level Behavior Distribution

                                                                                                                Click to dive into process behavior distribution

                                                                                                                Behavior

                                                                                                                Click to jump to process

                                                                                                                System Behavior

                                                                                                                Analysis Process: SOA.exe PID: 6128 Parent PID: 5600

                                                                                                                General

                                                                                                                Start time:21:31:07
                                                                                                                Start date:03/08/2021
                                                                                                                Path:C:\Users\user\Desktop\SOA.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:'C:\Users\user\Desktop\SOA.exe'
                                                                                                                Imagebase:0x870000
                                                                                                                File size:1148416 bytes
                                                                                                                MD5 hash:170F199A743CC527F5F222594AE66559
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                Reputation:low

                                                                                                                Chronological Activities

                                                                                                                Analysis Process: RegSvcs.exe PID: 6060 Parent PID: 6128

                                                                                                                General

                                                                                                                Start time:21:31:28
                                                                                                                Start date:03/08/2021
                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                Imagebase:0x60000
                                                                                                                File size:45152 bytes
                                                                                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high

                                                                                                                Chronological Activities

                                                                                                                Analysis Process: RegSvcs.exe PID: 5076 Parent PID: 6128

                                                                                                                General

                                                                                                                Start time:21:31:28
                                                                                                                Start date:03/08/2021
                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                Imagebase:0xa90000
                                                                                                                File size:45152 bytes
                                                                                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.474638569.0000000002DE1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.470502607.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000002.470502607.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                Reputation:high

                                                                                                                Chronological Activities

                                                                                                                Analysis Process: NXLun.exe PID: 6088 Parent PID: 3388

                                                                                                                General

                                                                                                                Start time:21:32:01
                                                                                                                Start date:03/08/2021
                                                                                                                Path:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                                                                                                                Imagebase:0x410000
                                                                                                                File size:45152 bytes
                                                                                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                Antivirus matches:
                                                                                                                • Detection: 0%, Metadefender, Browse
                                                                                                                • Detection: 0%, ReversingLabs
                                                                                                                Reputation:high

                                                                                                                Chronological Activities

                                                                                                                Analysis Process: conhost.exe PID: 412 Parent PID: 6088

                                                                                                                General

                                                                                                                Start time:21:32:01
                                                                                                                Start date:03/08/2021
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff6b2800000
                                                                                                                File size:625664 bytes
                                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high

                                                                                                                Chronological Activities

                                                                                                                Analysis Process: NXLun.exe PID: 3924 Parent PID: 3388

                                                                                                                General

                                                                                                                Start time:21:32:09
                                                                                                                Start date:03/08/2021
                                                                                                                Path:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                                                                                                                Imagebase:0xa80000
                                                                                                                File size:45152 bytes
                                                                                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                Reputation:high

                                                                                                                Chronological Activities

                                                                                                                Analysis Process: conhost.exe PID: 5236 Parent PID: 3924

                                                                                                                General

                                                                                                                Start time:21:32:09
                                                                                                                Start date:03/08/2021
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff6b2800000
                                                                                                                File size:625664 bytes
                                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high

                                                                                                                Chronological Activities

                                                                                                                Disassembly

                                                                                                                Code Analysis

                                                                                                                Reset < >

                                                                                                                  Analysis Process: RegSvcs.exe PID: 5076 Parent PID: 6128 RegSvcs.exeCOMMON

                                                                                                                  Executed Functions

                                                                                                                  Function 01201F88, Relevance: 2.9, Instructions: 2892COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.473364787.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3c340235755d530895bece9a98cfe54e28c8c1073a9d66cfca0ab11296016b5e
                                                                                                                  • Instruction ID: a201da1651b0b6d9de188dc9049c8b90b242088246af9e34a2f9d7ef12e8e334
                                                                                                                  • Opcode Fuzzy Hash: 3c340235755d530895bece9a98cfe54e28c8c1073a9d66cfca0ab11296016b5e
                                                                                                                  • Instruction Fuzzy Hash: 78630B70D10B5A8ECB11EB68C884699F7B1FF99300F15C79AE54877261EB70AAD4CF81
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 01203023, Relevance: 2.7, Instructions: 2734COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.473364787.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 2899e999224052a0b2137068f969b46bcaacbdf7d8c5122ba5b345e43425dccd
                                                                                                                  • Instruction ID: 16e6592a3ef4569b5e6b7ef9ef6dad69011c805bb04b5e6d6022917b26a8aed8
                                                                                                                  • Opcode Fuzzy Hash: 2899e999224052a0b2137068f969b46bcaacbdf7d8c5122ba5b345e43425dccd
                                                                                                                  • Instruction Fuzzy Hash: 6C532D70D1065A8ECB11EF68C884699F7B1FF95300F15C79AE548BB261EB70AAD4CF81
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0120A3B0, Relevance: 2.2, APIs: 1, Instructions: 687COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.473364787.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 5d53b799b8d331aa6ec69ecd10fff6e5054b7662c00cf539b6e87096367ed8e1
                                                                                                                  • Instruction ID: 1e5296ab45dbfc2434eb746c872d55839301a151da04427b92ba8a86d27fd6a9
                                                                                                                  • Opcode Fuzzy Hash: 5d53b799b8d331aa6ec69ecd10fff6e5054b7662c00cf539b6e87096367ed8e1
                                                                                                                  • Instruction Fuzzy Hash: B532DD31B143068FDB06ABB4D8546AEBBF2AF89304F818669E505DB392EB74DC45CB50
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 06265594, Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetUserNameW.ADVAPI32(00000000,00000000), ref: 0626B213
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: NameUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2645101109-0
                                                                                                                  • Opcode ID: ab5797afd176c55a3edca80411efa80c51e4ed3dfc30d0eb5c577780231c9f3c
                                                                                                                  • Instruction ID: b39c5ef2fede45e7103bf61fb753acca5643ecd758ec6c2027d16f3627c65184
                                                                                                                  • Opcode Fuzzy Hash: ab5797afd176c55a3edca80411efa80c51e4ed3dfc30d0eb5c577780231c9f3c
                                                                                                                  • Instruction Fuzzy Hash: F0511370E202188FDB54CFAAC894B9DBBF1FF48315F148169E815BB790D7749884CB91
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 01206B68, Relevance: .6, Instructions: 591COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.473364787.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6bc824ff11fdb2d6ea2be656cfd5b4ee13f2576d3b3ddec810b12bb78d605cb7
                                                                                                                  • Instruction ID: e9097be135f22743c00f30842db987ae564d901321e5491fa261aea619f4d21b
                                                                                                                  • Opcode Fuzzy Hash: 6bc824ff11fdb2d6ea2be656cfd5b4ee13f2576d3b3ddec810b12bb78d605cb7
                                                                                                                  • Instruction Fuzzy Hash: D6220270B002058FDB25DB78C894BAEBBF6AF89304F158669E545DB3D2DB35EC428B50
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 012007D0, Relevance: .4, Instructions: 425COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.473364787.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e0516cac17623873d52c41df7f134cee22f79c6475b58aa02d31732693b57338
                                                                                                                  • Instruction ID: e8413619fd07a194c42eb825cf6081c1c82a6328b9942862d934cacb50fa681b
                                                                                                                  • Opcode Fuzzy Hash: e0516cac17623873d52c41df7f134cee22f79c6475b58aa02d31732693b57338
                                                                                                                  • Instruction Fuzzy Hash: 58F1A030A002059FDB15DFB9C8447ADBBB2EF88354F248665E505EB396DB35EC42CB94
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 062690D8, Relevance: .3, Instructions: 338COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: f7709489aae0552a76fd641a13b73487fdf1a45d7b8b726babaa55fd3040d02c
                                                                                                                  • Instruction ID: cc63ddc57988fa9595870bbd4963318fd45f8447c9e63b4ed03ffb389bd19b7f
                                                                                                                  • Opcode Fuzzy Hash: f7709489aae0552a76fd641a13b73487fdf1a45d7b8b726babaa55fd3040d02c
                                                                                                                  • Instruction Fuzzy Hash: 03D17D70E1020A8FCB14DFA9C484AEEFBF1FF48314F158559E915AB351DB74A986CB90
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 012F47A0, Relevance: .3, Instructions: 315COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.473889877.00000000012F0000.00000040.00000001.sdmp, Offset: 012F0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 9d72216c515e363297258ae50b87f2dbacb5f26a4e6e8175459ff28d55c6719b
                                                                                                                  • Instruction ID: 18fe594283e66d42da3e75f40b633d102141c588c7c294e25332ba4895eaa0e8
                                                                                                                  • Opcode Fuzzy Hash: 9d72216c515e363297258ae50b87f2dbacb5f26a4e6e8175459ff28d55c6719b
                                                                                                                  • Instruction Fuzzy Hash: 7B12C4F0C857428AE310DF67E94C3853BA1F745728F584B28D2693B2E1D7B991AACF44
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 06266850, Relevance: .3, Instructions: 281COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: edcc521f51ba78bc193cb1595afbc5b99b8a4cd9066a4c3024bd407e8cb0dd19
                                                                                                                  • Instruction ID: fe091f178eacd0b8ffd855bcf5e23496fc2a09cf3e4fb99fdf7c0f25aeb93731
                                                                                                                  • Opcode Fuzzy Hash: edcc521f51ba78bc193cb1595afbc5b99b8a4cd9066a4c3024bd407e8cb0dd19
                                                                                                                  • Instruction Fuzzy Hash: DFB14D70E10259CFDB50CFAAC8857DEBBF2AF88758F14C129E815E7254DB749885CB82
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 06267120, Relevance: .3, Instructions: 266COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: ead0b18d1585d6eff7193952fa2907cac077ba6b569e02b0adf73fe041fef665
                                                                                                                  • Instruction ID: 242cb5cadf3a7733bec303638fccf7b3f2b71d7ae1dc18a4361f0839c47ee0d4
                                                                                                                  • Opcode Fuzzy Hash: ead0b18d1585d6eff7193952fa2907cac077ba6b569e02b0adf73fe041fef665
                                                                                                                  • Instruction Fuzzy Hash: 77B16070E1021ACFDB50CFAAE8857DDBBF2AF48318F148529E814E7754EB749885CB81
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 06266508, Relevance: .2, Instructions: 238COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 29cea34d0dcee2f6b44a9777f08bd0fed8496c495581d14bb556b1a89c080623
                                                                                                                  • Instruction ID: b041e404082bd69b41d31f6136bbffafcd0b57ae341af71121be80327a7fe8b6
                                                                                                                  • Opcode Fuzzy Hash: 29cea34d0dcee2f6b44a9777f08bd0fed8496c495581d14bb556b1a89c080623
                                                                                                                  • Instruction Fuzzy Hash: D0916170E1025ADFDF50CFAAD8857DDBBF2EF88314F148529E814A7254DB749885CB82
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 012F4773, Relevance: .2, Instructions: 234COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.473889877.00000000012F0000.00000040.00000001.sdmp, Offset: 012F0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: c61e2126df4cb711f87d66568b68560db43d921b9fa7e6bf42436216a877d0cc
                                                                                                                  • Instruction ID: c2e5428aa57b0016e6044e26186ce18c2560d5d500323ccbb08024de008330bd
                                                                                                                  • Opcode Fuzzy Hash: c61e2126df4cb711f87d66568b68560db43d921b9fa7e6bf42436216a877d0cc
                                                                                                                  • Instruction Fuzzy Hash: ADC11AB1C807458AD710DF66E84C3893BB1FB85318F184B29D2697B2D1D7B9A06ACF54
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626CC4E, Relevance: 6.9, APIs: 4, Instructions: 927libraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626CE83
                                                                                                                  • LdrInitializeThunk.NTDLL ref: 0626D17B
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626D740
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2638914809-0
                                                                                                                  • Opcode ID: 9edfe05142da05b95acbafcfb41bca023d8e6d9bd14daf4e04f84ebcd3ff2a87
                                                                                                                  • Instruction ID: 6d0b5ea115880ebbc7400ce86d2f438afa75276a1c40b4395b48dc9a4ab80475
                                                                                                                  • Opcode Fuzzy Hash: 9edfe05142da05b95acbafcfb41bca023d8e6d9bd14daf4e04f84ebcd3ff2a87
                                                                                                                  • Instruction Fuzzy Hash: B2922574A10228CFCB64EF30D8986ADB7B6BF48305F5084E9E94AA3744DB359E85CF50
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626CC85, Relevance: 6.6, APIs: 4, Instructions: 599libraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626CE83
                                                                                                                  • LdrInitializeThunk.NTDLL ref: 0626D17B
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626D740
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2638914809-0
                                                                                                                  • Opcode ID: 7822e9b23ae14de996e0d1115982e311d085a67eedcf83405c0a738848db8516
                                                                                                                  • Instruction ID: acd4ded17381c6f07fb28ce81992a7abdbae257177ee739d1da0d4f2f0441a92
                                                                                                                  • Opcode Fuzzy Hash: 7822e9b23ae14de996e0d1115982e311d085a67eedcf83405c0a738848db8516
                                                                                                                  • Instruction Fuzzy Hash: 66522674A10228CFDB64DF30D898699B7B6BF48306F5084E9E94AA3344DF399E85CF51
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626CCCA, Relevance: 6.6, APIs: 4, Instructions: 592libraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626CE83
                                                                                                                  • LdrInitializeThunk.NTDLL ref: 0626D17B
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626D740
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2638914809-0
                                                                                                                  • Opcode ID: ae0172094373f775b7b6c9a8a459f663d603f9cc0323925a366eac7559e3753b
                                                                                                                  • Instruction ID: 61cbdd5ec35ae2c4bf5c1f958eaae141d2a87427becc44ccd7de70bdfa5f38da
                                                                                                                  • Opcode Fuzzy Hash: ae0172094373f775b7b6c9a8a459f663d603f9cc0323925a366eac7559e3753b
                                                                                                                  • Instruction Fuzzy Hash: B5521674A10228CFDB64DF30D898699B7B6BF48306F5084E9E94AA3344DF399E85CF51
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626CD0F, Relevance: 6.6, APIs: 4, Instructions: 585libraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626CE83
                                                                                                                  • LdrInitializeThunk.NTDLL ref: 0626D17B
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626D740
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2638914809-0
                                                                                                                  • Opcode ID: 0a3f5601c63083eeea30ea1c9fa808b37825a4acee81c29104fb22cc442af689
                                                                                                                  • Instruction ID: 5b1c8c7c504b782b1ae00c91568e5cf3bb3388163139a0e20927e1479daacf1c
                                                                                                                  • Opcode Fuzzy Hash: 0a3f5601c63083eeea30ea1c9fa808b37825a4acee81c29104fb22cc442af689
                                                                                                                  • Instruction Fuzzy Hash: 88521574A10228CFDB64DF30D898699B7B6BF48306F5084E9E94AA3344DF399E85CF51
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626CD54, Relevance: 6.6, APIs: 4, Instructions: 578libraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626CE83
                                                                                                                  • LdrInitializeThunk.NTDLL ref: 0626D17B
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626D740
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2638914809-0
                                                                                                                  • Opcode ID: fe0766e8a46dccc5e53aaebf0855c7984cda1d965a186efc195422e4c207b83c
                                                                                                                  • Instruction ID: e65e0016fd226f73ddb1b67971b89c26dac42454ea0994bdda858f18799bc520
                                                                                                                  • Opcode Fuzzy Hash: fe0766e8a46dccc5e53aaebf0855c7984cda1d965a186efc195422e4c207b83c
                                                                                                                  • Instruction Fuzzy Hash: 95420574A10228CFDB64DF30D898699B7B6BF48306F5084E9E94AA3344DF399E85CF51
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626CD99, Relevance: 6.6, APIs: 4, Instructions: 571libraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626CE83
                                                                                                                  • LdrInitializeThunk.NTDLL ref: 0626D17B
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626D740
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2638914809-0
                                                                                                                  • Opcode ID: c937d20e60fb8a4578646e43587a1f3ff1cd0dbad46176f90dfa6139a87cc2fe
                                                                                                                  • Instruction ID: 3516899810d3e1871198f62dea229bfb9f04e6311fba0757767edab16f6a4aa2
                                                                                                                  • Opcode Fuzzy Hash: c937d20e60fb8a4578646e43587a1f3ff1cd0dbad46176f90dfa6139a87cc2fe
                                                                                                                  • Instruction Fuzzy Hash: F3420574A10228CFDB64DF30D898699B7B6BF48306F5084E9E94AA3344DF399E85CF51
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626CDDE, Relevance: 6.6, APIs: 4, Instructions: 562libraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626CE83
                                                                                                                  • LdrInitializeThunk.NTDLL ref: 0626D17B
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626D740
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2638914809-0
                                                                                                                  • Opcode ID: 44ce83722af31807c25c4d08f711becd42c0ad6af5da72634d39c9fdbcef23f1
                                                                                                                  • Instruction ID: 837cc7cad8b043f8e163d267abd91bba19560c2b488409d8184adff2e86c9c77
                                                                                                                  • Opcode Fuzzy Hash: 44ce83722af31807c25c4d08f711becd42c0ad6af5da72634d39c9fdbcef23f1
                                                                                                                  • Instruction Fuzzy Hash: 85420574A10228CFDB64DF30D898699B7B6BF48306F5084E9E94AA3344DF399E85CF51
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626CE1A, Relevance: 6.6, APIs: 4, Instructions: 557libraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626CE83
                                                                                                                  • LdrInitializeThunk.NTDLL ref: 0626D17B
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626D740
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2638914809-0
                                                                                                                  • Opcode ID: 76d733449257a114aed0788674f052977700346871339180a2d243bb1ac6e480
                                                                                                                  • Instruction ID: cf2e94bda643550f66bf711080a26cfa6b9d322c36cb55e69509ca9167b7c73d
                                                                                                                  • Opcode Fuzzy Hash: 76d733449257a114aed0788674f052977700346871339180a2d243bb1ac6e480
                                                                                                                  • Instruction Fuzzy Hash: 7A420574A10228CFDB64DF30D898699B7B6BF48306F5084E9E94AA3344DF399E85CF51
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626CE5F, Relevance: 6.6, APIs: 4, Instructions: 550libraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626CE83
                                                                                                                  • LdrInitializeThunk.NTDLL ref: 0626D17B
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626D740
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2638914809-0
                                                                                                                  • Opcode ID: 1a1940e8e5b599cc65bf665291eb4e042eea425588d1e044880fc320e7fdda2a
                                                                                                                  • Instruction ID: b7f8059955e55d1a8e49dd80a9a393cfd85eb30c6ef7476a7a04a875e98daf03
                                                                                                                  • Opcode Fuzzy Hash: 1a1940e8e5b599cc65bf665291eb4e042eea425588d1e044880fc320e7fdda2a
                                                                                                                  • Instruction Fuzzy Hash: C3420574A10228CFDB64DF30D898699B7B6BF48306F5084E9E94AA3344DF399E85CF51
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 012F6B1F, Relevance: 6.1, APIs: 4, Instructions: 137threadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 012F6BB0
                                                                                                                  • GetCurrentThread.KERNEL32 ref: 012F6BED
                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 012F6C2A
                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 012F6C83
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.473889877.00000000012F0000.00000040.00000001.sdmp, Offset: 012F0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: Current$ProcessThread
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2063062207-0
                                                                                                                  • Opcode ID: f23ce15f51b3b5a358f6ae7f40f6d4004e85d743fc6f13403b31efc804875721
                                                                                                                  • Instruction ID: d24d150afd67e61af743b4138decbc906709e001c8ade564a24559b59ef13476
                                                                                                                  • Opcode Fuzzy Hash: f23ce15f51b3b5a358f6ae7f40f6d4004e85d743fc6f13403b31efc804875721
                                                                                                                  • Instruction Fuzzy Hash: DF5165B0D002898FDB14CFA9DA48BDEBFF0EF48318F2485A9E149A7390D7755845CB61
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 012F6B50, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 012F6BB0
                                                                                                                  • GetCurrentThread.KERNEL32 ref: 012F6BED
                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 012F6C2A
                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 012F6C83
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.473889877.00000000012F0000.00000040.00000001.sdmp, Offset: 012F0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: Current$ProcessThread
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2063062207-0
                                                                                                                  • Opcode ID: deb25841af51298191e26e4b8ec81218fbb251acd6d64f182e0dce9b5913c3ae
                                                                                                                  • Instruction ID: 0d013e38617998e8ee625413fdd914e9911d0055432c02e7c480243b86ef086d
                                                                                                                  • Opcode Fuzzy Hash: deb25841af51298191e26e4b8ec81218fbb251acd6d64f182e0dce9b5913c3ae
                                                                                                                  • Instruction Fuzzy Hash: DA5144B0D006498FDB14CFAADA48B9EBBF5FF48318F2085A9E249B7350D7756844CB61
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626CEA4, Relevance: 5.0, APIs: 3, Instructions: 543libraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LdrInitializeThunk.NTDLL ref: 0626D17B
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626D740
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionInitializeThunkUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 243558500-0
                                                                                                                  • Opcode ID: 10a16707ed27be2a18f7ef7493e633dccbbee9f20ebe315ee92e0ccd2f3e6ca6
                                                                                                                  • Instruction ID: 431cdb3fac572ce22fb2f10d1984997411865be39dcfe7035f6aa6226b308b3a
                                                                                                                  • Opcode Fuzzy Hash: 10a16707ed27be2a18f7ef7493e633dccbbee9f20ebe315ee92e0ccd2f3e6ca6
                                                                                                                  • Instruction Fuzzy Hash: C9420474A10228CFDB64DF30D898699B7B6BF48306F5084E9E94AA3344DB399E85CF51
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626CEE9, Relevance: 5.0, APIs: 3, Instructions: 536libraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LdrInitializeThunk.NTDLL ref: 0626D17B
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626D740
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionInitializeThunkUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 243558500-0
                                                                                                                  • Opcode ID: 5947f0eeadb40b6daee07f9b781ac5a5ac6d491720148cf4c32bb9741e5142a9
                                                                                                                  • Instruction ID: 48c1d59c19996e537653b54bdd011da9eb04b559416f642b4fb8cbe1a944334f
                                                                                                                  • Opcode Fuzzy Hash: 5947f0eeadb40b6daee07f9b781ac5a5ac6d491720148cf4c32bb9741e5142a9
                                                                                                                  • Instruction Fuzzy Hash: E8420474A10228CFDB64DF30D89869DB7B6BF48306F5084E9E94AA3344DB399E85CF51
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626CF2E, Relevance: 5.0, APIs: 3, Instructions: 529libraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LdrInitializeThunk.NTDLL ref: 0626D17B
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626D740
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionInitializeThunkUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 243558500-0
                                                                                                                  • Opcode ID: 37d46b767bec948990315d81dfd78ccc92dab73d58618aebe37c0d5dcddd67f1
                                                                                                                  • Instruction ID: 906f67e2c6dd79f27ae68285451380135d3b354b9b8f02d6d735170d309e8954
                                                                                                                  • Opcode Fuzzy Hash: 37d46b767bec948990315d81dfd78ccc92dab73d58618aebe37c0d5dcddd67f1
                                                                                                                  • Instruction Fuzzy Hash: 1F320574A10228CFCB64DF30D89869DB7B6BF48306F5084E9E94AA3344DB399E85CF51
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626CF73, Relevance: 5.0, APIs: 3, Instructions: 522libraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LdrInitializeThunk.NTDLL ref: 0626D17B
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626D740
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionInitializeThunkUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 243558500-0
                                                                                                                  • Opcode ID: 43d14cfea49100bf13e59fab8af996fa9fb327de530ccd93098bf75dc7be9b2b
                                                                                                                  • Instruction ID: b035044071871c1ed85912f69e6d95d565f11af77cb8bbad142791cd04eab68a
                                                                                                                  • Opcode Fuzzy Hash: 43d14cfea49100bf13e59fab8af996fa9fb327de530ccd93098bf75dc7be9b2b
                                                                                                                  • Instruction Fuzzy Hash: FE321574A10228CFCB64DF70D89869DB7B6BF48306F5084E9E94AA3344DB399E85CF51
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626CFB8, Relevance: 5.0, APIs: 3, Instructions: 515libraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LdrInitializeThunk.NTDLL ref: 0626D17B
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626D740
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionInitializeThunkUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 243558500-0
                                                                                                                  • Opcode ID: 25e84c6c9768aa21fb9157c27048fc6b12af479a1b050a89512f8a4ec8e02555
                                                                                                                  • Instruction ID: 8fc8aa4154966ada911d5a3c4671c8e4bea004d18bdfff322e1b9ec065cb0cd8
                                                                                                                  • Opcode Fuzzy Hash: 25e84c6c9768aa21fb9157c27048fc6b12af479a1b050a89512f8a4ec8e02555
                                                                                                                  • Instruction Fuzzy Hash: 79321574A10228CFCB64DF70D89869DB7B6BF48306F5084E9E94AA3344DB399E85CF51
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626CFFD, Relevance: 5.0, APIs: 3, Instructions: 508libraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LdrInitializeThunk.NTDLL ref: 0626D17B
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626D740
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionInitializeThunkUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 243558500-0
                                                                                                                  • Opcode ID: 537dac8b668006e18b888ece8e7a2ade56cd0a5a5e2d7f4c09bbfb9b51526342
                                                                                                                  • Instruction ID: e8e65d88cc34c795e32e1157beb6ab910155d89512e20644c1a7ebfb33b6a914
                                                                                                                  • Opcode Fuzzy Hash: 537dac8b668006e18b888ece8e7a2ade56cd0a5a5e2d7f4c09bbfb9b51526342
                                                                                                                  • Instruction Fuzzy Hash: 19321674A10228CFCB64DF30D89869DB7B6BF48306F5084E9E94AA3344DB399E85CF51
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626D042, Relevance: 5.0, APIs: 3, Instructions: 501libraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LdrInitializeThunk.NTDLL ref: 0626D17B
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626D740
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionInitializeThunkUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 243558500-0
                                                                                                                  • Opcode ID: 5d6d66fe9b1c7afb231fa6c5d392a2a3cd854cb5f0609d137995da0091deb31c
                                                                                                                  • Instruction ID: 79721b100f8953b18d92e98272a7205a0508f0f932d413cfe6b9da62b7c3a45e
                                                                                                                  • Opcode Fuzzy Hash: 5d6d66fe9b1c7afb231fa6c5d392a2a3cd854cb5f0609d137995da0091deb31c
                                                                                                                  • Instruction Fuzzy Hash: FD321574A10228CFCB64DF70D89869DB7B6BF48306F5084E9E94AA3344DB399E85CF51
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626D4A6, Relevance: 3.3, APIs: 2, Instructions: 335COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626D740
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626DC44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 6842923-0
                                                                                                                  • Opcode ID: 844739314bf5887667b7379a76f8795b91131602fdb4d28eeba1cfd57a527d2e
                                                                                                                  • Instruction ID: 852194384c68766b44baf0ed032f230a03e5966f53af2f4ded0e8f35a892d06e
                                                                                                                  • Opcode Fuzzy Hash: 844739314bf5887667b7379a76f8795b91131602fdb4d28eeba1cfd57a527d2e
                                                                                                                  • Instruction Fuzzy Hash: 26F13B74A10218CFDB64DF21D89469DB7B2BF48306F1084E9E90AA3345DB39AEC5CF65
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626D4EB, Relevance: 3.3, APIs: 2, Instructions: 328COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626D740
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626DC44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 6842923-0
                                                                                                                  • Opcode ID: ad569af9ec75a86c7c92e4537636ebe52b81318415e2d30df552892286879da1
                                                                                                                  • Instruction ID: 9f937414f4c0dd3a52a909b50f7551fb28d601fc82a48722e4db789e19b08c09
                                                                                                                  • Opcode Fuzzy Hash: ad569af9ec75a86c7c92e4537636ebe52b81318415e2d30df552892286879da1
                                                                                                                  • Instruction Fuzzy Hash: 19F13B74A10218CFDB64DF21D89469DB7B2BF48306F1084E9E90AA3345DB39AE85CF65
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626D530, Relevance: 3.3, APIs: 2, Instructions: 321COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626D740
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626DC44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 6842923-0
                                                                                                                  • Opcode ID: 1f3cf47bf3bb42510f9ffee54a108bbba50952559388248302dcd8beeec20a2c
                                                                                                                  • Instruction ID: 681569d20b58ad366bcd9533f62d2e80b461788c61df1c2733f5940840f28897
                                                                                                                  • Opcode Fuzzy Hash: 1f3cf47bf3bb42510f9ffee54a108bbba50952559388248302dcd8beeec20a2c
                                                                                                                  • Instruction Fuzzy Hash: 5DE14B74A11218CFDB64DF21D89469DB7B2BF48306F1084E9E90AA3344DF39AE85CF65
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626D575, Relevance: 3.3, APIs: 2, Instructions: 314COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626D740
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626DC44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 6842923-0
                                                                                                                  • Opcode ID: 3cdf354463ee299ad192518ce078f5278391c5d1b12ccd72180e676e876665e7
                                                                                                                  • Instruction ID: 10ce1da6505c82fa6bdb92f28f99300276b43c3195a48f9df62107289cf9fa45
                                                                                                                  • Opcode Fuzzy Hash: 3cdf354463ee299ad192518ce078f5278391c5d1b12ccd72180e676e876665e7
                                                                                                                  • Instruction Fuzzy Hash: 67E14B74A10219CFDB64DF21D894699B7B2BF48206F1084E9E90AA3344DF39AEC5CF65
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626D5BD, Relevance: 3.3, APIs: 2, Instructions: 307COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626D740
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626DC44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 6842923-0
                                                                                                                  • Opcode ID: 5730b979bf78fe88e5592c6d0fec8cb128c2e6c2f99964ff3de85443ab9f0d17
                                                                                                                  • Instruction ID: 0d335272acff4df55f3ebbfbbbaf8a651c525b9a57c4df15d4c5c4c2a6c39734
                                                                                                                  • Opcode Fuzzy Hash: 5730b979bf78fe88e5592c6d0fec8cb128c2e6c2f99964ff3de85443ab9f0d17
                                                                                                                  • Instruction Fuzzy Hash: D0E14C74A10219CFDB64DF21D89469DB7B2BF48206F1084E9E90AA3344DF38AEC5CF65
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626D605, Relevance: 3.3, APIs: 2, Instructions: 298COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626D740
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626DC44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 6842923-0
                                                                                                                  • Opcode ID: b9df0df6fa79e4e2f6f487c3dcacdd1b6232510ed241854dc9c2b79284b397fd
                                                                                                                  • Instruction ID: 8798834b6de097afd63bdbe50abbe244c39512ac458ea79bfa662e606f1bc797
                                                                                                                  • Opcode Fuzzy Hash: b9df0df6fa79e4e2f6f487c3dcacdd1b6232510ed241854dc9c2b79284b397fd
                                                                                                                  • Instruction Fuzzy Hash: 07D15D74A10219CFC764DF21D89469DB7B2BF88306F1084E9EA0AA3345DF349E85CF55
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626D641, Relevance: 3.3, APIs: 2, Instructions: 293COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626D740
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626DC44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 6842923-0
                                                                                                                  • Opcode ID: 9126640dd3c523625c0106ac1a0dff00fc4992522645495d83b0bf710b4a1b94
                                                                                                                  • Instruction ID: 114908fba40596b6cb7f3436e0f358b3d4b90cf1857f842582a75d81579e633e
                                                                                                                  • Opcode Fuzzy Hash: 9126640dd3c523625c0106ac1a0dff00fc4992522645495d83b0bf710b4a1b94
                                                                                                                  • Instruction Fuzzy Hash: 5ED14D74A10219CFCB64DF21D89469DB7B2BF48306F1084E9EA0AA3345DF399E85CF65
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626D689, Relevance: 3.3, APIs: 2, Instructions: 286COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626D740
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626DC44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 6842923-0
                                                                                                                  • Opcode ID: 2adc02bcecbd4a2f06e29a772b6ed7991d918ebba0742eea01f868292773062e
                                                                                                                  • Instruction ID: 38c542e7c67d24414488d7f5b0772e9023c3e2c5ee7dc8e5cebc7722188f6ef8
                                                                                                                  • Opcode Fuzzy Hash: 2adc02bcecbd4a2f06e29a772b6ed7991d918ebba0742eea01f868292773062e
                                                                                                                  • Instruction Fuzzy Hash: FBD14C74A10219CFCB64DF21D89469DB7B2BF48206F1084E9EA0AA3345DF399EC5CF55
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626D6D1, Relevance: 3.3, APIs: 2, Instructions: 279COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626D740
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626DC44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 6842923-0
                                                                                                                  • Opcode ID: c338d040f9b01334f7e40662bde1bed232837a930c08a060f09c224c3d263c64
                                                                                                                  • Instruction ID: a8439d26db60ff074d2a85ca1b51499861432ed6ff0c4adaf40f59cb38881ea6
                                                                                                                  • Opcode Fuzzy Hash: c338d040f9b01334f7e40662bde1bed232837a930c08a060f09c224c3d263c64
                                                                                                                  • Instruction Fuzzy Hash: 47D15C74A10219CFCB64DF21D89479DB7B2BF48206F1084E9EA0AA3345DF389E85CF55
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626D719, Relevance: 3.3, APIs: 2, Instructions: 272COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626D740
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626DC44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 6842923-0
                                                                                                                  • Opcode ID: 6511245c54ec353403c8bfe7e6cf34ff1e021206ceae8acdba4d3125427aa095
                                                                                                                  • Instruction ID: 5ccc785bc9cfeb051118b9b841a95c53afd23dde82026e8e1bc14e19f853a952
                                                                                                                  • Opcode Fuzzy Hash: 6511245c54ec353403c8bfe7e6cf34ff1e021206ceae8acdba4d3125427aa095
                                                                                                                  • Instruction Fuzzy Hash: 7DC14CB4A10219CFCB64DF21D89469DB7B2BF48305F5084E9EA0AA3345DB389E85CF55
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626D761, Relevance: 1.8, APIs: 1, Instructions: 265COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626DC44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 6842923-0
                                                                                                                  • Opcode ID: e6a3e9ca830c43dbf6672845d1a20156181843812d9c21f25662f7afa98e3679
                                                                                                                  • Instruction ID: 43dd65e6f685308f89b1419865376bb2a486e43776a991334298dd4287a5bb5c
                                                                                                                  • Opcode Fuzzy Hash: e6a3e9ca830c43dbf6672845d1a20156181843812d9c21f25662f7afa98e3679
                                                                                                                  • Instruction Fuzzy Hash: A1C15CB4A10219CFCB64DF21D89479DB7B2BF88205F5084E9EA0AA3345DF389E85CF55
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626D7A9, Relevance: 1.8, APIs: 1, Instructions: 258COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626DC44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 6842923-0
                                                                                                                  • Opcode ID: deefe836e03af0de3e1c823e649251b622fc32559057a8a5a7bf0b36fc7840d7
                                                                                                                  • Instruction ID: 7f51edc94bab0decc47b571198798779d2e9b36951deabc2d7a21d1b5f41375c
                                                                                                                  • Opcode Fuzzy Hash: deefe836e03af0de3e1c823e649251b622fc32559057a8a5a7bf0b36fc7840d7
                                                                                                                  • Instruction Fuzzy Hash: EDC15CB4A10219CFCB64DF21C89479DB7B2BF88205F5084E9EA0A93345DF389E85CF55
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626D7F1, Relevance: 1.8, APIs: 1, Instructions: 251COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626DC44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 6842923-0
                                                                                                                  • Opcode ID: 614fd5dcff3991465bd7e08fb7d9a7f5af5edb89e0aabe65e0380faac3748a8e
                                                                                                                  • Instruction ID: 8f81e3af2e987e54dce2ba140c2906b2ffea4db17cf3c7adf9b3fb6bef537f1b
                                                                                                                  • Opcode Fuzzy Hash: 614fd5dcff3991465bd7e08fb7d9a7f5af5edb89e0aabe65e0380faac3748a8e
                                                                                                                  • Instruction Fuzzy Hash: 56B15DB4A10219CFCB64DF21C89479DB7B2BF88205F5084E9EA0A93345DF389E85CF55
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626D839, Relevance: 1.7, APIs: 1, Instructions: 244COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626DC44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 6842923-0
                                                                                                                  • Opcode ID: 14c5547e783fa5df57da00e9990e57e75588725d0e92b3672cfaebe995add147
                                                                                                                  • Instruction ID: abcc57676bca3539774f22621b6f4fec73cb284c3351f457b4f0fda911322476
                                                                                                                  • Opcode Fuzzy Hash: 14c5547e783fa5df57da00e9990e57e75588725d0e92b3672cfaebe995add147
                                                                                                                  • Instruction Fuzzy Hash: 28B15CB4A10219CFCB64DF20C894799B7B2BF88205F5084E9EA0A93345DB389E85CF65
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626D881, Relevance: 1.7, APIs: 1, Instructions: 237COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626DC44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 6842923-0
                                                                                                                  • Opcode ID: b0510cef940fa7ae4bbed5a2c303e69ac7088ae4ba25419b69f060efb2b43c32
                                                                                                                  • Instruction ID: b8ebb2b21bfca4dc83bf4b0a9755299fdf528bded35d720755a429274688c6b4
                                                                                                                  • Opcode Fuzzy Hash: b0510cef940fa7ae4bbed5a2c303e69ac7088ae4ba25419b69f060efb2b43c32
                                                                                                                  • Instruction Fuzzy Hash: 89B15CB4A10219CFCB64DF21D894799B7B2BF88205F5084E9EA0A93345DB389D85CF55
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626D8C9, Relevance: 1.7, APIs: 1, Instructions: 230COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626DC44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 6842923-0
                                                                                                                  • Opcode ID: 497f53dedf832777bdf0e618a3e0646cc033f96fc129410fdc6f21426ed9519f
                                                                                                                  • Instruction ID: 09a0f2058a1097d5318add4715744d6d88cc56957be1a913f2af69a314e6dee7
                                                                                                                  • Opcode Fuzzy Hash: 497f53dedf832777bdf0e618a3e0646cc033f96fc129410fdc6f21426ed9519f
                                                                                                                  • Instruction Fuzzy Hash: 74A15CB4A10219CFCB64DF20D894799B7F2BF88205F5084E9EA0AA3345DF389D85CF65
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626D911, Relevance: 1.7, APIs: 1, Instructions: 221COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626DC44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 6842923-0
                                                                                                                  • Opcode ID: 8589eb0f79bd4ee836236f0c777b1b6ba6aee6a84900fcc58311e77ab6a726b3
                                                                                                                  • Instruction ID: f3455febc65c8c6b57b39551bec49f79efdc95eae5d9f9c7143b89333c301e83
                                                                                                                  • Opcode Fuzzy Hash: 8589eb0f79bd4ee836236f0c777b1b6ba6aee6a84900fcc58311e77ab6a726b3
                                                                                                                  • Instruction Fuzzy Hash: 7AA16DB4A10229CFCB64DB21D894799B7F2BF88205F5084E9EA0A93345DF389D85CF65
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626D94D, Relevance: 1.7, APIs: 1, Instructions: 216COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626DC44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 6842923-0
                                                                                                                  • Opcode ID: c5c7428851a31fb302bc2697edfc51772ca06b6519c8e8050b209ae4dd52eea7
                                                                                                                  • Instruction ID: 8126b414ed2eca4bfa2b275bb45cfbf387b2e87b7016be62b152b46e6584f14e
                                                                                                                  • Opcode Fuzzy Hash: c5c7428851a31fb302bc2697edfc51772ca06b6519c8e8050b209ae4dd52eea7
                                                                                                                  • Instruction Fuzzy Hash: 35915CB4A10219CFCB64DB21D894799B7F2BF88205F5084E9EA0AA3345DF389D85CF65
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626D995, Relevance: 1.7, APIs: 1, Instructions: 209COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626DC44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 6842923-0
                                                                                                                  • Opcode ID: 056b2f1e37ebcb5484535dc35a66fa2e4502e6f8f16c082a784c5654acb5ae7a
                                                                                                                  • Instruction ID: b9b2721486f325e1d643c57428d6a08777f656219044ed46231a78dcc23a2955
                                                                                                                  • Opcode Fuzzy Hash: 056b2f1e37ebcb5484535dc35a66fa2e4502e6f8f16c082a784c5654acb5ae7a
                                                                                                                  • Instruction Fuzzy Hash: 6D916DB4A10218CFCB64DB21C89479DB7F2BF88205F5084E9EA0AA3345DF389D85CF65
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626D9DD, Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626DC44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 6842923-0
                                                                                                                  • Opcode ID: dcbc720d3bafc733caa8833e79295eb917f1bec69750e49c9ce0d620c5202d19
                                                                                                                  • Instruction ID: 61e46c8cecda40f306d1cd4d04be7450bd9efaf3d9b383415a3a6b202ba652e8
                                                                                                                  • Opcode Fuzzy Hash: dcbc720d3bafc733caa8833e79295eb917f1bec69750e49c9ce0d620c5202d19
                                                                                                                  • Instruction Fuzzy Hash: D2916EB4A10218CFCB64DB31C89479DB7F2AF88205F5084E9EA0AA3345DF399D85CF65
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626DA25, Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626DC44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 6842923-0
                                                                                                                  • Opcode ID: b8ca2ec6c864bbaec60319fdf60862d9bc0bc97b461be2d44954f79422902193
                                                                                                                  • Instruction ID: 6921a9d9390c34b7ea8712cf30b6da282ac41e4f1c5d6905c227c07cb56dfaf2
                                                                                                                  • Opcode Fuzzy Hash: b8ca2ec6c864bbaec60319fdf60862d9bc0bc97b461be2d44954f79422902193
                                                                                                                  • Instruction Fuzzy Hash: EA816DB4A102298FCB64DB31C89479DB7F2AF88305F5084E9EA0A93345DF389D85CF65
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626DA6D, Relevance: 1.7, APIs: 1, Instructions: 188COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626DC44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 6842923-0
                                                                                                                  • Opcode ID: c13296d6b4d185cc51f2eb4f2947c1408dd09a2198dc5d7b05c0f45189663b5e
                                                                                                                  • Instruction ID: d512f6d0f2a6492884a42fe849bd2f4c88fdc7ea832c487c0bcba272c0dd0306
                                                                                                                  • Opcode Fuzzy Hash: c13296d6b4d185cc51f2eb4f2947c1408dd09a2198dc5d7b05c0f45189663b5e
                                                                                                                  • Instruction Fuzzy Hash: EF816CB4A102288FCB64DB25C89479DB7F2BF88205F5084E9EA0A93345DF789D85CF65
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626DAB5, Relevance: 1.7, APIs: 1, Instructions: 181COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626DC44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 6842923-0
                                                                                                                  • Opcode ID: 1ad8ff048c055f7aa93db9814213b8d01d3504971ca3377e65a5fd9a6bd90bdd
                                                                                                                  • Instruction ID: dc4a8b4ce93952effcf1884b251ab8f2309593fd207ca02a09e2f9869542777d
                                                                                                                  • Opcode Fuzzy Hash: 1ad8ff048c055f7aa93db9814213b8d01d3504971ca3377e65a5fd9a6bd90bdd
                                                                                                                  • Instruction Fuzzy Hash: 74717EB4A102298FCB64DB35C89479DB7F2AF88205F5084E9EA0AD3745DF389D85CF54
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626DAFD, Relevance: 1.7, APIs: 1, Instructions: 174COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626DC44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 6842923-0
                                                                                                                  • Opcode ID: 21df5e28febfe15150e01e2d84dc3d924ac2f9dc9fc83d5e77d7cba664b33a4a
                                                                                                                  • Instruction ID: f0f350122ae2aa327e79ba0fa57e215523d78abcd9b857d1c6434b80b6d7ac29
                                                                                                                  • Opcode Fuzzy Hash: 21df5e28febfe15150e01e2d84dc3d924ac2f9dc9fc83d5e77d7cba664b33a4a
                                                                                                                  • Instruction Fuzzy Hash: 34718FB4A102298FCB64DB35C85879DB7F2AF88205F5084E9EA0AD3745DF389D85CF54
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626DB45, Relevance: 1.7, APIs: 1, Instructions: 167COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626DC44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 6842923-0
                                                                                                                  • Opcode ID: 6cbc8abd0180855d5f154dacf8a0cbc6e4cd586ddf27b7ec4ccc8be0830575a4
                                                                                                                  • Instruction ID: 88056464dc8fa71f24d37aef4aef415e4a629a1743c9ecd305ab79ccc73e8438
                                                                                                                  • Opcode Fuzzy Hash: 6cbc8abd0180855d5f154dacf8a0cbc6e4cd586ddf27b7ec4ccc8be0830575a4
                                                                                                                  • Instruction Fuzzy Hash: 5A618FB4A102298FCB64EB35C85879DB7F2AF88205F5084E9EA0AD3745DF389D85CF54
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0120CB50, Relevance: 1.7, APIs: 1, Instructions: 161COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.473364787.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3546e7dd586e9f57c32b7659c40971c5c0dd017219fa6c74a09a211e03113c5d
                                                                                                                  • Instruction ID: bb5f97e82e23896def4d398b064d16b2f6f6d106e0c14a4ce51a6b6847f0e7c3
                                                                                                                  • Opcode Fuzzy Hash: 3546e7dd586e9f57c32b7659c40971c5c0dd017219fa6c74a09a211e03113c5d
                                                                                                                  • Instruction Fuzzy Hash: 9B5137B6E143868FC701CF79D4047E9BFF1AF89314F1586AAD104A7392EB389855CBA0
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626DB8D, Relevance: 1.7, APIs: 1, Instructions: 160COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626DC44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 6842923-0
                                                                                                                  • Opcode ID: 08406d01db756bdf0842f29e1cf77df672e55e24e3c0e341dabba239aebdb73a
                                                                                                                  • Instruction ID: 6ef6e4e365222ba191ca27593a1bd406266bf5bfa3059534061498b09ab66d37
                                                                                                                  • Opcode Fuzzy Hash: 08406d01db756bdf0842f29e1cf77df672e55e24e3c0e341dabba239aebdb73a
                                                                                                                  • Instruction Fuzzy Hash: DF61B1B4B102298FCB64DB35C89879DB7F2AF88205F5084A9EA0AD3745DF389D85CF50
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626DBD5, Relevance: 1.7, APIs: 1, Instructions: 153COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626DC44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 6842923-0
                                                                                                                  • Opcode ID: 69373f0b03af03a360a32a597111d0fb11505d4eaf4069ac6a9cc4460c668302
                                                                                                                  • Instruction ID: ef2235f40bdc108f314d5867fa6a159e103eb28c825169264e1bc3eafd5b95cb
                                                                                                                  • Opcode Fuzzy Hash: 69373f0b03af03a360a32a597111d0fb11505d4eaf4069ac6a9cc4460c668302
                                                                                                                  • Instruction Fuzzy Hash: 8A51C274B102298FCB64DB35C8587AEB7F2AF88205F5084A9EA0AD3745DF389D85DF50
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626DC1D, Relevance: 1.6, APIs: 1, Instructions: 146COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserExceptionDispatcher.NTDLL ref: 0626DC44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DispatcherExceptionUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 6842923-0
                                                                                                                  • Opcode ID: 64a7269a5935f79015457d03437a587b8df20e683e7cfc4da93ac05ff6b53cd8
                                                                                                                  • Instruction ID: c4ce875e371d494a66075f259e3209b0ee966f950f8abde24c903e0215bf2745
                                                                                                                  • Opcode Fuzzy Hash: 64a7269a5935f79015457d03437a587b8df20e683e7cfc4da93ac05ff6b53cd8
                                                                                                                  • Instruction Fuzzy Hash: 8351D374B102298FCB64DB35C8587AEB7F6AF88205F5084A8E90AD3745DF389D85DF50
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626B0CC, Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetUserNameW.ADVAPI32(00000000,00000000), ref: 0626B213
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: NameUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2645101109-0
                                                                                                                  • Opcode ID: 7c4934e76062e416661a00b797c483b3122f2557079928bb7a7e250cc689ad52
                                                                                                                  • Instruction ID: 59e1838144e9966c0f9ae27b1dbfca1f775b0db5358aef4b3f161bd59811a3b6
                                                                                                                  • Opcode Fuzzy Hash: 7c4934e76062e416661a00b797c483b3122f2557079928bb7a7e250cc689ad52
                                                                                                                  • Instruction Fuzzy Hash: A8512471E202188FDB54CFAAD885BDDBBF1FF48315F14816AE815AB750DB749884CB90
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0120AAC0, Relevance: 1.6, APIs: 1, Instructions: 138libraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.473364787.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: InitializeThunk
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2994545307-0
                                                                                                                  • Opcode ID: 2946ee69b0b467bcb6aff0c6447e952384e0877635f5300f2e41a2091423f5f8
                                                                                                                  • Instruction ID: 6c93622624002af27f15fb01dd06931d236fe7b4139cd127afb9195be39c59c9
                                                                                                                  • Opcode Fuzzy Hash: 2946ee69b0b467bcb6aff0c6447e952384e0877635f5300f2e41a2091423f5f8
                                                                                                                  • Instruction Fuzzy Hash: 1D419271A103059FCB15FFB4D844AEEB7B6FF84204F508A29E5029B795EF75E8049BA0
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 06268E0C, Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetUserNameW.ADVAPI32(00000000,00000000), ref: 0626B213
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: NameUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2645101109-0
                                                                                                                  • Opcode ID: 31b618dc94ac3cafd0ec01f213b297d3628d2c91300dfec7412260ecd90a4250
                                                                                                                  • Instruction ID: 28a5cc83a2ba589d8d10291a42233ef6dba3a4d7f52416038fc5e48bad8b8f73
                                                                                                                  • Opcode Fuzzy Hash: 31b618dc94ac3cafd0ec01f213b297d3628d2c91300dfec7412260ecd90a4250
                                                                                                                  • Instruction Fuzzy Hash: 4B510270E202189FDB54CFAAC894B9DBBF1FF48315F148169E815BB790D7749884CB94
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 012F5189, Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 012F52A2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.473889877.00000000012F0000.00000040.00000001.sdmp, Offset: 012F0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 716092398-0
                                                                                                                  • Opcode ID: 97bd9310da5f7e3d8775af725f786fd1173e6d42a27963894b8d39e818b10987
                                                                                                                  • Instruction ID: 4a72ddb3919763cbffd071e13da484ef2707ed7c72f028f9cc06fe187f9d043a
                                                                                                                  • Opcode Fuzzy Hash: 97bd9310da5f7e3d8775af725f786fd1173e6d42a27963894b8d39e818b10987
                                                                                                                  • Instruction Fuzzy Hash: 0B51CEB1D102499FDB14CFA9C884ADEFFB5BF88314F24822AE919AB210D7749845CF90
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 012F5190, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 012F52A2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.473889877.00000000012F0000.00000040.00000001.sdmp, Offset: 012F0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 716092398-0
                                                                                                                  • Opcode ID: f91109280f99236a9f98424451603968cc91d8097141cb4de1ce5a055d879383
                                                                                                                  • Instruction ID: 696304c12e361a81aa3af14672e0713df0f8e823dbfd68b1ac02d379e235b4ba
                                                                                                                  • Opcode Fuzzy Hash: f91109280f99236a9f98424451603968cc91d8097141cb4de1ce5a055d879383
                                                                                                                  • Instruction Fuzzy Hash: 2341CFB1D103499FDB14CF9AC884ADEFBB5FF88314F24822AE919AB210D7749845CF90
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 012F6964, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 012F7CF9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.473889877.00000000012F0000.00000040.00000001.sdmp, Offset: 012F0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: CallProcWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2714655100-0
                                                                                                                  • Opcode ID: a4491942b7b6023c23105e0604b2567ab1c4882378c0a78bbd66c2d1c1f614bb
                                                                                                                  • Instruction ID: 50ae4e35092097edcb62a3dfeb110da65a244a84b8c90a4cff59b8cfdeacb05b
                                                                                                                  • Opcode Fuzzy Hash: a4491942b7b6023c23105e0604b2567ab1c4882378c0a78bbd66c2d1c1f614bb
                                                                                                                  • Instruction Fuzzy Hash: 6C415AB5A10245CFDB14CF59C488BAAFBF5FF88314F24846DE619AB361D375A841CBA0
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 06263D77, Relevance: 1.6, APIs: 1, Instructions: 87libraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadLibraryA.KERNELBASE(?), ref: 06263E4A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: LibraryLoad
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1029625771-0
                                                                                                                  • Opcode ID: 4eb7b4bbda3904689a1adc922bb05745f755c0da648b8f7f9f3e985375571ba9
                                                                                                                  • Instruction ID: b0c69469aa0eb967000f6f00c517ac602774efac644c22839ed2762744670729
                                                                                                                  • Opcode Fuzzy Hash: 4eb7b4bbda3904689a1adc922bb05745f755c0da648b8f7f9f3e985375571ba9
                                                                                                                  • Instruction Fuzzy Hash: 8D3103B0D202899FDB54CFAAD88579EBBB1FF08314F148529E815E7380D7749885CFA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 06263D80, Relevance: 1.6, APIs: 1, Instructions: 86libraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadLibraryA.KERNELBASE(?), ref: 06263E4A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: LibraryLoad
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1029625771-0
                                                                                                                  • Opcode ID: 31f6766621100ffea820f10a25aeacf8cc01cf444f3e7060707d1bddd0ab8209
                                                                                                                  • Instruction ID: e3dba3c0d0eb63fea48ffac5a7aa19603075f44f9ac8a69ecbab4098475e60f7
                                                                                                                  • Opcode Fuzzy Hash: 31f6766621100ffea820f10a25aeacf8cc01cf444f3e7060707d1bddd0ab8209
                                                                                                                  • Instruction Fuzzy Hash: CD3105B0D202899FDB54CFAAD885B9EFBB5FF08314F148529E815A7380D7749885CFA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0626B538, Relevance: 1.6, APIs: 1, Instructions: 85fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • DeleteFileW.KERNELBASE(00000000), ref: 0626B5F8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DeleteFile
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4033686569-0
                                                                                                                  • Opcode ID: 89b9aa83431bc9029d090fb6654936ce8b365657a5cefc42c48964fa6ac962e6
                                                                                                                  • Instruction ID: 7c92d21e1a0de46fef16dccd75ceb73f201eee12852cde31b402c99ab4e24c23
                                                                                                                  • Opcode Fuzzy Hash: 89b9aa83431bc9029d090fb6654936ce8b365657a5cefc42c48964fa6ac962e6
                                                                                                                  • Instruction Fuzzy Hash: 3131A071E1020A8FDB00DFAAD4447AEFBF4EB48314F11812AE814A7340E734A844CFA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 012F6D71, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012F6DFF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.473889877.00000000012F0000.00000040.00000001.sdmp, Offset: 012F0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DuplicateHandle
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3793708945-0
                                                                                                                  • Opcode ID: 5cf555ef45a602441475609bc81b2238886632e01db467a67005a1b847827516
                                                                                                                  • Instruction ID: 3641bf3e16316f69a94b06ab956d17793369880f59d8d1eb6440b909dbbd6c14
                                                                                                                  • Opcode Fuzzy Hash: 5cf555ef45a602441475609bc81b2238886632e01db467a67005a1b847827516
                                                                                                                  • Instruction Fuzzy Hash: 2521E4B59002499FDB10CFA9D884AEEFFF4FB48324F14852AE914A7310D378A955CF60
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 012F6D78, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012F6DFF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.473889877.00000000012F0000.00000040.00000001.sdmp, Offset: 012F0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DuplicateHandle
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3793708945-0
                                                                                                                  • Opcode ID: 906f3d2b46c4eea07bc48bafe3b7d6e3150d7195e59b7e27c05102c532495119
                                                                                                                  • Instruction ID: ec6e276e49fd1c285d6e86129771b595adfe98eeb4caddbd53dc8ef85db77769
                                                                                                                  • Opcode Fuzzy Hash: 906f3d2b46c4eea07bc48bafe3b7d6e3150d7195e59b7e27c05102c532495119
                                                                                                                  • Instruction Fuzzy Hash: 2E21C4B59002499FDB10CFAAD984ADEFBF8FB48324F14841AE914A7350D375A954CFA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 06268E18, Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • DeleteFileW.KERNELBASE(00000000), ref: 0626B5F8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.481403501.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: DeleteFile
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4033686569-0
                                                                                                                  • Opcode ID: 0f75076a3e33fc363ba51e07fa00e5136910155224b0d37a01e275207ea77da1
                                                                                                                  • Instruction ID: 239758aa5570f7c0983826664fd87b7c9945788bdc9dc9a199839beb4770a24f
                                                                                                                  • Opcode Fuzzy Hash: 0f75076a3e33fc363ba51e07fa00e5136910155224b0d37a01e275207ea77da1
                                                                                                                  • Instruction Fuzzy Hash: F12147B1C0465A8BCB10CF9AD5447EEFBB4EB48324F158229E818B7240D738A954CFA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 012FBDF1, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 012FBE72
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.473889877.00000000012F0000.00000040.00000001.sdmp, Offset: 012F0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: EncodePointer
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2118026453-0
                                                                                                                  • Opcode ID: f4c55d28a1e9f851979442e4b30f11807e6a057c1f617aa2b3ff52406373f1bf
                                                                                                                  • Instruction ID: bb89316ae1a05fd44f79c10035b8537fa7937ba5da7d7ecdc74de9fe4183d3eb
                                                                                                                  • Opcode Fuzzy Hash: f4c55d28a1e9f851979442e4b30f11807e6a057c1f617aa2b3ff52406373f1bf
                                                                                                                  • Instruction Fuzzy Hash: FE2147B191030ACFDB10DFAAD94879ABBF4EB48328F64852AD609A3600D7395544CFA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0120B698, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,0120CC4A,?,?,0000011D), ref: 0120CD37
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.473364787.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: GlobalMemoryStatus
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1890195054-0
                                                                                                                  • Opcode ID: c207f5911e5b30d800f01b03c3750125d382bb2af3d414a1498b30fc7a8e16c3
                                                                                                                  • Instruction ID: c467584e93acdd8127ead55fbf3e099983517f3b933ffac6f73aef47d0ea7eac
                                                                                                                  • Opcode Fuzzy Hash: c207f5911e5b30d800f01b03c3750125d382bb2af3d414a1498b30fc7a8e16c3
                                                                                                                  • Instruction Fuzzy Hash: AD1142B1C046599BCB10DF9AD444BEEFBF4EF48224F15826AE918B7240D378A954CFE1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 012FBDF8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 012FBE72
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.473889877.00000000012F0000.00000040.00000001.sdmp, Offset: 012F0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: EncodePointer
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2118026453-0
                                                                                                                  • Opcode ID: aac7752cf2b417c6f854b23a761e3008fdbc2e373285d53d34711adc02d7fd7e
                                                                                                                  • Instruction ID: 1d1e2c8877a33599715461c44b7b40248f15b5f48dadc2238f09b48e6f5726b3
                                                                                                                  • Opcode Fuzzy Hash: aac7752cf2b417c6f854b23a761e3008fdbc2e373285d53d34711adc02d7fd7e
                                                                                                                  • Instruction Fuzzy Hash: E3116DB19103068FDB10DFA9D9487DEBBF4FB48328F64852AD609A3740D7795544CFA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 0120CCC9, Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,0120CC4A,?,?,0000011D), ref: 0120CD37
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.473364787.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID: GlobalMemoryStatus
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1890195054-0
                                                                                                                  • Opcode ID: 280054dff529c81244fd38d0f146fa65c6f7b431181220141991bf66be469297
                                                                                                                  • Instruction ID: 32baf0b58838eb83efd26d47cc3402f1cca31d331e4cdc8134dffff95ae2255c
                                                                                                                  • Opcode Fuzzy Hash: 280054dff529c81244fd38d0f146fa65c6f7b431181220141991bf66be469297
                                                                                                                  • Instruction Fuzzy Hash: 601142B1C0025A8BCB00CF9AD584BDEFBB4BF48324F15866AE518B7240D378A944CFA1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Non-executed Functions

                                                                                                                  Function 012072C0, Relevance: 1.8, Instructions: 1830COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.473364787.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: ff1a024f8e174aac80d19112e74ff8d621940dcdc901eeb38402049f5ada3389
                                                                                                                  • Instruction ID: 6ed4d4f4843b9b02fd49cd4902c6dc82e614ba40edf1d43920214cf883f2f4e6
                                                                                                                  • Opcode Fuzzy Hash: ff1a024f8e174aac80d19112e74ff8d621940dcdc901eeb38402049f5ada3389
                                                                                                                  • Instruction Fuzzy Hash: 95133B70D1061A8FCB15EF68C8846ADF7B1BF99304F15C79AE549AB251EB30AAC4CF41
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 01209C50, Relevance: .5, Instructions: 459COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.473364787.0000000001200000.00000040.00000001.sdmp, Offset: 01200000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 932711dd7e281c569c3803929ca94eddf93fb9ccc91fe28358227667e800de1d
                                                                                                                  • Instruction ID: c0260732b0e557b7d160e48d72dd59245aae0341190992576561e73caafef4e4
                                                                                                                  • Opcode Fuzzy Hash: 932711dd7e281c569c3803929ca94eddf93fb9ccc91fe28358227667e800de1d
                                                                                                                  • Instruction Fuzzy Hash: A6028F30A10219CFDB25EBB9C84479EB7B2BF88304F1085A9E549DB796DF359C85CB60
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 012FD661, Relevance: .3, Instructions: 265COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.473889877.00000000012F0000.00000040.00000001.sdmp, Offset: 012F0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3410ebba7458b583e9d215cc659e6a4b3f39b3eed3d1f4a4466f559ea270d044
                                                                                                                  • Instruction ID: a0c11aa55197691c7b0765ab7b93cd8f7f9266917fe6acbec4c2d9d90fd5bcaa
                                                                                                                  • Opcode Fuzzy Hash: 3410ebba7458b583e9d215cc659e6a4b3f39b3eed3d1f4a4466f559ea270d044
                                                                                                                  • Instruction Fuzzy Hash: 0891C234F182188BDB18EFB5985577EB6B3BFC9204F05892DE646D7388DF3988018791
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Analysis Process: NXLun.exe PID: 6088 Parent PID: 3388 NXLun.exeCOMMON

                                                                                                                  Executed Functions

                                                                                                                  Function 02520F38, Relevance: .6, Instructions: 575COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000012.00000002.318980842.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 359a8ce0f3a256610b075479cc44098fcc613bd35b39eba619382a573706001b
                                                                                                                  • Instruction ID: b6a8713b4859c5fd2fffc5a44348812d991ee8ff975417bedc714a0827ff142a
                                                                                                                  • Opcode Fuzzy Hash: 359a8ce0f3a256610b075479cc44098fcc613bd35b39eba619382a573706001b
                                                                                                                  • Instruction Fuzzy Hash: 84328C35700651CFC718EB71E89476A77A2FB89309B20C928D5068B7DADF39EC46CB94
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 02520728, Relevance: .4, Instructions: 411COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000012.00000002.318980842.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b05bd548f0535e1793e4e190361b54a05d8d7448d4db29e823f781f620f9d133
                                                                                                                  • Instruction ID: 514cbabec1adb1d227a6a94edd319c61ecf23679ba9b6dc0f49e6b41fdee145f
                                                                                                                  • Opcode Fuzzy Hash: b05bd548f0535e1793e4e190361b54a05d8d7448d4db29e823f781f620f9d133
                                                                                                                  • Instruction Fuzzy Hash: B281E531A01284CFCB299BB0D85879DBBB2FF99318F058529D5026B7E5DF34AC89CB40
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 02520E31, Relevance: .1, Instructions: 88COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000012.00000002.318980842.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 30dee3327ab412e00b0207fb9908976dc73a5e768b255077ee450c49546ca55b
                                                                                                                  • Instruction ID: 47bff37c22bb5a7a591f730f618d5c746e8f93a2176c9751f7d4ca7f46f8766c
                                                                                                                  • Opcode Fuzzy Hash: 30dee3327ab412e00b0207fb9908976dc73a5e768b255077ee450c49546ca55b
                                                                                                                  • Instruction Fuzzy Hash: 6A3159747452508FCB58AB38C49886D37E1AF8A61D31204BDE502CFBB1EB31DC46CB90
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 02520E40, Relevance: .1, Instructions: 81COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000012.00000002.318980842.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 9d65030cbe0e67561392025922fa545cf91cc609e7b7fb0e286634d076d5fe53
                                                                                                                  • Instruction ID: 3fb6d1b8bb2c4d91555c8a652729cb400199fdff93963c1986e83beb4310d3d8
                                                                                                                  • Opcode Fuzzy Hash: 9d65030cbe0e67561392025922fa545cf91cc609e7b7fb0e286634d076d5fe53
                                                                                                                  • Instruction Fuzzy Hash: C721EA747452108FC758AB38C49891D37E1AF8961D35108B9E506CF7B5EF36EC46CB94
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 025217F8, Relevance: .0, Instructions: 47COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000012.00000002.318980842.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 4ee633979491338fc2c7d6d1a69ddb0e2ffe8c48077d47e577c6a67d8ecd2d4d
                                                                                                                  • Instruction ID: acb43257ed2ee31368775677f5ff204d2dd18917da21d177608606f94b8cc538
                                                                                                                  • Opcode Fuzzy Hash: 4ee633979491338fc2c7d6d1a69ddb0e2ffe8c48077d47e577c6a67d8ecd2d4d
                                                                                                                  • Instruction Fuzzy Hash: BC11E176E00205CFCB44EFB4D8849EEFBB1FF89204B10866AD51997622EB349809CB80
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 02521808, Relevance: .0, Instructions: 44COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000012.00000002.318980842.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e2c9af2adf411c80114f823a35e7795034f7b385a238e2be61a9f73ff1c18b72
                                                                                                                  • Instruction ID: 58a49d2248de026ac19b3aaaac5c0097ce53bcba9b3f5cb53b717020e40f1264
                                                                                                                  • Opcode Fuzzy Hash: e2c9af2adf411c80114f823a35e7795034f7b385a238e2be61a9f73ff1c18b72
                                                                                                                  • Instruction Fuzzy Hash: 87019E36E00206DFCB44EFB9D8448EEFBB5FF8D204710866AE51897621EB34A905CB90
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 02520480, Relevance: .0, Instructions: 30COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000012.00000002.318980842.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: f5cc7476a81ed60662a5ac5d4e86f67879355707205d951ef7ef9839f59d82e6
                                                                                                                  • Instruction ID: 12e8a22d318da5d92e583a2ba2bd416aac7d3a608a9a7672803821be974726c9
                                                                                                                  • Opcode Fuzzy Hash: f5cc7476a81ed60662a5ac5d4e86f67879355707205d951ef7ef9839f59d82e6
                                                                                                                  • Instruction Fuzzy Hash: 4BF082F1E0E3946FCB019B7899112DD7FF09B5A201F1504ABD685DB293E1244E19C792
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 02520B9C, Relevance: .0, Instructions: 23COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000012.00000002.318980842.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 7a9b2e63ccd08b104170565662eac00b0cd6368244501870aa37a329b80923ca
                                                                                                                  • Instruction ID: bb6ad92879661ca4c172fd007ded489f75f20951f816897b737b2e729ea0694d
                                                                                                                  • Opcode Fuzzy Hash: 7a9b2e63ccd08b104170565662eac00b0cd6368244501870aa37a329b80923ca
                                                                                                                  • Instruction Fuzzy Hash: E4F08C71A02214CFDB18EBA0C0487AD7BF0BF09218F110898D002AB3E0DB75A888CB94
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 025216D8, Relevance: .0, Instructions: 18COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000012.00000002.318980842.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 9640c0c160c0f7b921c8994f2c78011c8a2eff36acc1f1dfb5b281ec4a29775f
                                                                                                                  • Instruction ID: 1b1d5a5e3259a4174f3efa89e5f16eacdabaeefbbf86a9f740d2126834a52f8e
                                                                                                                  • Opcode Fuzzy Hash: 9640c0c160c0f7b921c8994f2c78011c8a2eff36acc1f1dfb5b281ec4a29775f
                                                                                                                  • Instruction Fuzzy Hash: 44D02B31700210CFC310EB74E808B4A3BB8EF05615F104060E608CB2E0DB71DC04C7D0
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 025204A8, Relevance: .0, Instructions: 17COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000012.00000002.318980842.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 2e99f6754cfefeb696a01cf1100ea98e950611e72ac9cca2c0486fec32bfe4e1
                                                                                                                  • Instruction ID: 3fdb2ae6e04d934d5342e436d24ff87923af781a4d7dba654ee35f9501a6ec7b
                                                                                                                  • Opcode Fuzzy Hash: 2e99f6754cfefeb696a01cf1100ea98e950611e72ac9cca2c0486fec32bfe4e1
                                                                                                                  • Instruction Fuzzy Hash: 9ED067B1D01229AF8B40EFB999052DEBBF8FA09251B1045A6D919E7240E6705A14CBD1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Non-executed Functions

                                                                                                                  Analysis Process: NXLun.exe PID: 3924 Parent PID: 3388 NXLun.exeCOMMON

                                                                                                                  Executed Functions

                                                                                                                  Function 010B0F38, Relevance: .5, Instructions: 510COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000015.00000002.336504343.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 19769c6b4ee308690b62a8219398af5880a464364d5865d8186d2332143e13f4
                                                                                                                  • Instruction ID: 67ee95471dd8c0070cdf811fadb1f921370bd1b1da2f2c35de61638dd609f858
                                                                                                                  • Opcode Fuzzy Hash: 19769c6b4ee308690b62a8219398af5880a464364d5865d8186d2332143e13f4
                                                                                                                  • Instruction Fuzzy Hash: BB225279704601CFC725EF64E4E46AA77B2FB84309B14892CD58287789EF36EC46CB90
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 010B0728, Relevance: .3, Instructions: 302COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000015.00000002.336504343.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: c654181a403b9b7e1cb63866608c477360e4217ce665e9b63972910ba20ce3eb
                                                                                                                  • Instruction ID: f5a66a33876bab350af49012390dcf52331d7b543780e0bf9f9fc7a422e5f4e3
                                                                                                                  • Opcode Fuzzy Hash: c654181a403b9b7e1cb63866608c477360e4217ce665e9b63972910ba20ce3eb
                                                                                                                  • Instruction Fuzzy Hash: 2D318C755043808FD726EF64D4887DA7FF2EF45310F0584A9E48297659DF35A885CB90
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 010B08F0, Relevance: .2, Instructions: 190COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000015.00000002.336504343.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: bd79282fd6b678d8d8cb2240b952d85bb3c915d1074258c7b1c672234981f5a3
                                                                                                                  • Instruction ID: 3d22a1caebb6b631961b8d917eeb90122abe7f30a1a385d521d781faeece6f8d
                                                                                                                  • Opcode Fuzzy Hash: bd79282fd6b678d8d8cb2240b952d85bb3c915d1074258c7b1c672234981f5a3
                                                                                                                  • Instruction Fuzzy Hash: 8971F779A003458FDB299F64C4886DEBBF2EF88300F158959E58297758EF75AC85CB40
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 010B0E31, Relevance: .1, Instructions: 88COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000015.00000002.336504343.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: bcb3fb8981d171ee1df9e225e688ca10a7c11939aae57865beb1a057904eaee5
                                                                                                                  • Instruction ID: 693b06a4707258d0d717fd3cec8d07aa33f42c82051391990c7ab4e0231e10e5
                                                                                                                  • Opcode Fuzzy Hash: bcb3fb8981d171ee1df9e225e688ca10a7c11939aae57865beb1a057904eaee5
                                                                                                                  • Instruction Fuzzy Hash: B4312A747042508FCB59AB38C4A896D77F1AF8961931104ADF502CF775EB35DC46CB90
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 010B0E40, Relevance: .1, Instructions: 81COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000015.00000002.336504343.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 94b98c3c1efe4bf7eb1a88968021c877b54d3e9296d64b01ae3a44f212cdee52
                                                                                                                  • Instruction ID: 66f20457385a0fc9a7e5e79136332bd5c60ff68938500cfb29a812bb6ad42dc5
                                                                                                                  • Opcode Fuzzy Hash: 94b98c3c1efe4bf7eb1a88968021c877b54d3e9296d64b01ae3a44f212cdee52
                                                                                                                  • Instruction Fuzzy Hash: CE21EA747452108FC758AB38C49895D77E1AF8961935108BCF606CFB75EB32DC46CBA0
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 010B16D8, Relevance: .1, Instructions: 68COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000015.00000002.336504343.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 8a5159a34dafcdf2deec72f8e8d7d722a035be23ffe6f47e96ae246161e18227
                                                                                                                  • Instruction ID: 6a7ca5c822e9e4fc04ed313ef950522cfd968dfc78a45ae33dece4c804b63642
                                                                                                                  • Opcode Fuzzy Hash: 8a5159a34dafcdf2deec72f8e8d7d722a035be23ffe6f47e96ae246161e18227
                                                                                                                  • Instruction Fuzzy Hash: 6F112475B042049FCB15EB74E4A4AAE7BB9EF86204F1040A8E245DF781DF319D02C7A1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 010B17F8, Relevance: .0, Instructions: 47COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000015.00000002.336504343.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 1a4c528446339f333e5c07e3b85f50199697ffb1b511e6ff6b8a9cf33a2c9202
                                                                                                                  • Instruction ID: cedf36cc3b1c7f02c5a3edd6b3e2375b16adb1334c62b7ea4d745e76c0c220d3
                                                                                                                  • Opcode Fuzzy Hash: 1a4c528446339f333e5c07e3b85f50199697ffb1b511e6ff6b8a9cf33a2c9202
                                                                                                                  • Instruction Fuzzy Hash: 9B11A17AE002099FCB04EFB8D8849DEBBF5FF89300F10866AE515A7721E7319905CB90
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 010B1808, Relevance: .0, Instructions: 44COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000015.00000002.336504343.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b7c82b9bdf96c3815f4a38e75bb458850eedf6e779c28a2a114c10564b85ba23
                                                                                                                  • Instruction ID: 6cf17eeabb24acc96f1b5cbd0fa3f54ec5b0962b98c47778a179e24c88499dc3
                                                                                                                  • Opcode Fuzzy Hash: b7c82b9bdf96c3815f4a38e75bb458850eedf6e779c28a2a114c10564b85ba23
                                                                                                                  • Instruction Fuzzy Hash: 2501923AE002059FCB44EFB8D8448DEFBF5FF89300710866AE51497320E730A915CB90
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 010B0498, Relevance: .0, Instructions: 24COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000015.00000002.336504343.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 69d768eb21ed79915744b1fb4a5003f64187289223383fd36f6704da994ad2df
                                                                                                                  • Instruction ID: d3b6ec3c2f37e29e6c9901269d2e06489a1a9920aa71dafab7c937c74b9406fc
                                                                                                                  • Opcode Fuzzy Hash: 69d768eb21ed79915744b1fb4a5003f64187289223383fd36f6704da994ad2df
                                                                                                                  • Instruction Fuzzy Hash: D0E09274D052599F8B51ABB955455DABFF4E906210B4541B6D889E3101E2704A09C7C1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 010B0B9C, Relevance: .0, Instructions: 23COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000015.00000002.336504343.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3a020ca6dcc83da35c1217ccd6f738523385631c13a51f2a34db60b15aa5281b
                                                                                                                  • Instruction ID: 2b6de2822823eeb5f0f3a51205c7ec32e0ea8c5d0103df2c659f1984559bf442
                                                                                                                  • Opcode Fuzzy Hash: 3a020ca6dcc83da35c1217ccd6f738523385631c13a51f2a34db60b15aa5281b
                                                                                                                  • Instruction Fuzzy Hash: 8DF01C74A042058FEB24EF64C1997EE7BF0AF48318F150899E082E7395DB75A984CB90
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Function 010B04A8, Relevance: .0, Instructions: 17COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000015.00000002.336504343.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3c3df9b0bcb107e7a3a76bf5672f411c0e11711d858ca5356c9743c7d26c4061
                                                                                                                  • Instruction ID: 9052c99d56bafca095c73e1e673027bf6313af6c02799df7db0e153c4972ceda
                                                                                                                  • Opcode Fuzzy Hash: 3c3df9b0bcb107e7a3a76bf5672f411c0e11711d858ca5356c9743c7d26c4061
                                                                                                                  • Instruction Fuzzy Hash: 14D017B1D00229AF8B50EFB99A051DEBBF8EA08250B0005B6D959E3204E7744A108BD1
                                                                                                                  Uniqueness

                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                  Non-executed Functions