Windows Analysis Report
JULY SOA.exe

Overview

General Information

Sample Name: JULY SOA.exe
Analysis ID: 680518
MD5: c059fd1e2ec2df2b8e4af62359868b1b
SHA1: 5cfadf7c20971459dadeae535e61bcc6b6175df0
SHA256: 6c9947dd57c1a90267929341ffb0a7ff7f225156748160852a78dd83d6943578
Tags: agentteslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality to register a low level keyboard hook
Machine Learning detection for sample
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Contains functionality to detect virtual machines (SLDT)
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: JULY SOA.exe Virustotal: Detection: 59% Perma Link
Source: JULY SOA.exe ReversingLabs: Detection: 39%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Roaming\qOHVWexsnI.exe ReversingLabs: Detection: 39%
Machine Learning detection for sample
Source: JULY SOA.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\qOHVWexsnI.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 16.0.JULY SOA.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 0.2.JULY SOA.exe.3bae2b0.3.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "francisco@palumalimited.com", "Password": "+D&GRBh14#(M", "Host": "mail.palumalimited.com"}
Uses 32bit PE files
Source: JULY SOA.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: JULY SOA.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 0.2.JULY SOA.exe.3be2ad0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JULY SOA.exe.3bae2b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JULY SOA.exe.3ac8c30.1.raw.unpack, type: UNPACKEDPE
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 174.136.29.110 174.136.29.110
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49766 -> 174.136.29.110:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49766 -> 174.136.29.110:587
Source: JULY SOA.exe, 00000010.00000002.535440551.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, DnDcR.exe, 0000001B.00000002.536397827.00000000030C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: DnDcR.exe, 0000001B.00000002.536397827.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, DnDcR.exe, 0000001B.00000002.551552984.0000000003412000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://5yHd6xzSnU.com
Source: DnDcR.exe, 0000001B.00000002.536397827.00000000030C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DVKGwn.com
Source: DnDcR.exe, 0000001B.00000002.536397827.00000000030C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.390070081.0000000006174000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.390070081.0000000006174000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: JULY SOA.exe, 00000010.00000003.390747397.0000000006122000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.390243547.0000000006149000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: JULY SOA.exe, 00000010.00000003.390243547.0000000006149000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: JULY SOA.exe, 00000010.00000003.390747397.0000000006122000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
Source: JULY SOA.exe, 00000010.00000002.562505783.00000000060F1000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000002.551057155.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, DnDcR.exe, 0000001B.00000002.551678919.000000000341A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: JULY SOA.exe, 00000010.00000002.532335988.0000000000E8C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.390070081.0000000006174000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chamber
Source: JULY SOA.exe, 00000010.00000003.390243547.0000000006149000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.390634314.0000000006156000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: JULY SOA.exe, 00000010.00000002.562505783.00000000060F1000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000002.551057155.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, DnDcR.exe, 0000001B.00000002.551678919.000000000341A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: JULY SOA.exe, 00000010.00000002.562505783.00000000060F1000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000002.551057155.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, DnDcR.exe, 0000001B.00000002.551678919.000000000341A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: JULY SOA.exe, 00000010.00000003.387953820.0000000006178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.390070081.0000000006174000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: JULY SOA.exe, 00000010.00000003.390243547.0000000006149000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.390634314.0000000006156000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: JULY SOA.exe, 00000010.00000003.390993402.0000000006BD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: JULY SOA.exe, 00000010.00000003.390747397.0000000006122000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.defence.gov.au/pki0
Source: JULY SOA.exe, 00000010.00000003.387953820.0000000006178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: JULY SOA.exe, 00000010.00000002.565897741.0000000006BC9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: JULY SOA.exe, 00000010.00000002.562505783.00000000060F1000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000002.551057155.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, DnDcR.exe, 0000001B.00000002.551678919.000000000341A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: JULY SOA.exe, 00000010.00000002.565897741.0000000006BC9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: JULY SOA.exe, 00000010.00000002.563253922.000000000616E000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: JULY SOA.exe, 00000010.00000003.391149006.0000000006C40000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: JULY SOA.exe, 00000010.00000003.390747397.0000000006122000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: JULY SOA.exe, 00000010.00000003.390747397.0000000006122000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000002.563149008.0000000006133000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/
Source: JULY SOA.exe, 00000010.00000003.387953820.0000000006178000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.390747397.0000000006122000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635CB0
Source: 77EC63BDA74BD0D0E0426DC8F80085060.16.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: JULY SOA.exe, 00000010.00000003.386301095.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3a51ff57fd138
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.390070081.0000000006174000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635
Source: JULY SOA.exe, 00000010.00000003.390243547.0000000006149000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://eca.hinet.net/repository/CRL2/CA.crl0
Source: JULY SOA.exe, 00000010.00000003.390243547.0000000006149000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05
Source: JULY SOA.exe, 00000000.00000003.259152234.00000000010DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://en.w
Source: JULY SOA.exe, 00000010.00000003.390243547.0000000006149000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: JULY SOA.exe, 00000010.00000003.390243547.0000000006149000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: JULY SOA.exe, 00000010.00000003.387953820.0000000006178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: JULY SOA.exe, 00000010.00000003.390747397.0000000006122000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000002.563149008.0000000006133000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
Source: JULY SOA.exe, 00000000.00000002.336085792.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: JULY SOA.exe, 00000010.00000003.390489017.000000000613A000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: JULY SOA.exe, 00000010.00000002.551057155.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, DnDcR.exe, 0000001B.00000002.551678919.000000000341A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.palumalimited.com
Source: JULY SOA.exe, 00000010.00000003.390489017.000000000613A000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.accv.es0
Source: JULY SOA.exe, 00000010.00000003.390243547.0000000006149000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.eca.hinet.net/OCSP/ocspG2sha20
Source: JULY SOA.exe, 00000010.00000003.390243547.0000000006149000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: JULY SOA.exe, 00000010.00000003.390489017.000000000613A000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.pki.gva.es0
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.suscerte.gob.ve0
Source: JULY SOA.exe, 00000010.00000002.551057155.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, DnDcR.exe, 0000001B.00000002.551678919.000000000341A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://palumalimited.com
Source: JULY SOA.exe, 00000010.00000003.388386158.0000000006C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: JULY SOA.exe, 00000010.00000003.390243547.0000000006149000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://policy.camerfirma.com0
Source: JULY SOA.exe, 00000010.00000003.390489017.000000000613A000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
Source: JULY SOA.exe, 00000010.00000002.562505783.00000000060F1000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000002.551057155.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, DnDcR.exe, 0000001B.00000002.551678919.000000000341A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0
Source: JULY SOA.exe, 00000010.00000002.562505783.00000000060F1000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000002.551057155.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, DnDcR.exe, 0000001B.00000002.551678919.000000000341A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: JULY SOA.exe, 00000010.00000003.390489017.000000000613A000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://repository.swisssign.com/0
Source: JULY SOA.exe, 00000000.00000002.313583973.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, DnDcR.exe, 00000013.00000002.434546929.00000000032A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: JULY SOA.exe, 00000010.00000003.390489017.000000000613A000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: JULY SOA.exe, 00000010.00000003.390243547.0000000006149000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: JULY SOA.exe, 00000010.00000003.390243547.0000000006149000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: JULY SOA.exe, 00000010.00000003.390243547.0000000006149000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.390993402.0000000006BD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.acabogacia.org/doc0
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.acabogacia.org0
Source: JULY SOA.exe, 00000010.00000003.390489017.000000000613A000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: JULY SOA.exe, 00000010.00000003.390489017.000000000613A000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: JULY SOA.exe, 00000010.00000003.390489017.000000000613A000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: JULY SOA.exe, 00000010.00000003.390489017.000000000613A000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es00
Source: JULY SOA.exe, 00000010.00000003.390243547.0000000006149000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: JULY SOA.exe, 00000010.00000003.390243547.0000000006149000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: JULY SOA.exe, 00000000.00000003.272219489.0000000005A83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.agfamonotype.
Source: JULY SOA.exe, 00000010.00000003.388386158.0000000006C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ancert.com/cps0
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.anf.es
Source: JULY SOA.exe, 00000010.00000002.563109744.0000000006121000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.anf.es/es/address-direccion.html
Source: JULY SOA.exe, 00000000.00000002.336085792.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: JULY SOA.exe, 00000000.00000002.336085792.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: JULY SOA.exe, 00000000.00000003.264734009.0000000005A7D000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000000.00000003.264473152.0000000005A7D000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000000.00000003.264579666.0000000005A7D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comyle
Source: JULY SOA.exe, 00000010.00000003.390747397.0000000006122000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: JULY SOA.exe, 00000010.00000003.387953820.0000000006178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
Source: JULY SOA.exe, 00000010.00000003.387953820.0000000006178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
Source: JULY SOA.exe, 00000010.00000003.390747397.0000000006122000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: JULY SOA.exe, 00000010.00000003.390243547.0000000006149000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: JULY SOA.exe, 00000010.00000003.390993402.0000000006BD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: JULY SOA.exe, 00000010.00000003.388386158.0000000006C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.390634314.0000000006156000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.390070081.0000000006174000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.chambersign.org1
Source: JULY SOA.exe, 00000010.00000003.390243547.0000000006149000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.comsign.co.il/cps0
Source: JULY SOA.exe, 00000010.00000002.532335988.0000000000E8C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: JULY SOA.exe, 00000010.00000003.390489017.000000000613A000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.datev.de/zertifikat-policy-int0
Source: JULY SOA.exe, 00000010.00000003.387953820.0000000006178000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.390747397.0000000006122000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388386158.0000000006C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: JULY SOA.exe, 00000010.00000003.390243547.0000000006149000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.defence.gov.au/pki0
Source: JULY SOA.exe, 00000010.00000002.532335988.0000000000E8C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: JULY SOA.exe, 00000010.00000002.532335988.0000000000E8C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.disig.sk/ca0f
Source: JULY SOA.exe, 00000010.00000003.390747397.0000000006122000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.dnie.es/dpc0
Source: JULY SOA.exe, 00000010.00000003.387748722.0000000006C4F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.e-me.lv/repository0
Source: JULY SOA.exe, 00000010.00000003.388386158.0000000006C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: JULY SOA.exe, 00000010.00000003.388386158.0000000006C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: JULY SOA.exe, 00000010.00000003.388386158.0000000006C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: JULY SOA.exe, 00000010.00000003.387748722.0000000006C4F000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.390747397.0000000006122000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.390243547.0000000006149000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.390070081.0000000006174000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: JULY SOA.exe, 00000010.00000003.390747397.0000000006122000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: JULY SOA.exe, 00000010.00000003.390747397.0000000006122000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.eme.lv/repository0
Source: JULY SOA.exe, 00000010.00000003.390747397.0000000006122000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000002.563149008.0000000006133000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: JULY SOA.exe, 00000000.00000003.267502782.0000000005A7A000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000000.00000002.336085792.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000000.00000002.335223464.0000000005A70000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000000.00000003.267065355.0000000005A79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: JULY SOA.exe, 00000000.00000003.268400141.0000000005A79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com.TTF
Source: JULY SOA.exe, 00000000.00000002.336085792.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: JULY SOA.exe, 00000000.00000002.336085792.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: JULY SOA.exe, 00000000.00000003.267569141.0000000005AAD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: JULY SOA.exe, 00000000.00000002.336085792.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: JULY SOA.exe, 00000000.00000002.336085792.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: JULY SOA.exe, 00000000.00000002.336085792.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: JULY SOA.exe, 00000000.00000002.336085792.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: JULY SOA.exe, 00000000.00000002.336085792.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: JULY SOA.exe, 00000000.00000003.267502782.0000000005A7A000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000000.00000003.267065355.0000000005A79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comF
Source: JULY SOA.exe, 00000000.00000003.268400141.0000000005A79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comF6
Source: JULY SOA.exe, 00000000.00000003.268400141.0000000005A79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comTTFq
Source: JULY SOA.exe, 00000000.00000003.268400141.0000000005A79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comalsFT
Source: JULY SOA.exe, 00000000.00000003.267065355.0000000005A79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comcomaF
Source: JULY SOA.exe, 00000000.00000003.268400141.0000000005A79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comd
Source: JULY SOA.exe, 00000000.00000003.267502782.0000000005A7A000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000000.00000003.267065355.0000000005A79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comd=
Source: JULY SOA.exe, 00000000.00000003.267502782.0000000005A7A000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000000.00000003.267065355.0000000005A79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comdsed
Source: JULY SOA.exe, 00000000.00000003.267502782.0000000005A7A000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000000.00000003.267065355.0000000005A79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comessed
Source: JULY SOA.exe, 00000000.00000003.267065355.0000000005A79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comj
Source: JULY SOA.exe, 00000000.00000003.268400141.0000000005A79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comsiva
Source: JULY SOA.exe, 00000000.00000002.335223464.0000000005A70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comueTF
Source: JULY SOA.exe, 00000000.00000003.259931334.0000000005A94000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000000.00000002.336085792.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000000.00000003.259902767.0000000005A93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: JULY SOA.exe, 00000000.00000003.259931334.0000000005A94000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.comX
Source: JULY SOA.exe, 00000000.00000003.259965341.0000000005A8B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.comc
Source: JULY SOA.exe, 00000000.00000003.259902767.0000000005A93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.comx
Source: JULY SOA.exe, 00000000.00000003.262287409.0000000005A74000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000000.00000002.336085792.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: JULY SOA.exe, 00000000.00000003.262469245.0000000005A74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/0
Source: JULY SOA.exe, 00000000.00000002.336085792.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: JULY SOA.exe, 00000000.00000002.336085792.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: JULY SOA.exe, 00000000.00000003.262469245.0000000005A74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/r
Source: JULY SOA.exe, 00000000.00000003.262198978.0000000005AAD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnA:
Source: JULY SOA.exe, 00000000.00000003.262287409.0000000005A74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnLog
Source: JULY SOA.exe, 00000000.00000003.262198978.0000000005AAD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cni:
Source: JULY SOA.exe, 00000000.00000003.262198978.0000000005AAD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cns-ez
Source: JULY SOA.exe, 00000000.00000003.262198978.0000000005AAD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnu-e
Source: JULY SOA.exe, 00000000.00000003.262287409.0000000005A74000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000000.00000003.262475290.0000000005A79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnudi
Source: JULY SOA.exe, 00000000.00000002.336085792.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: JULY SOA.exe, 00000000.00000002.336085792.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.390070081.0000000006174000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.globaltrust.info0
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.390070081.0000000006174000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.globaltrust.info0=
Source: JULY SOA.exe, 00000000.00000002.336085792.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: JULY SOA.exe, 00000010.00000002.563299618.000000000617E000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.387953820.0000000006178000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.390115378.000000000617E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: JULY SOA.exe, 00000000.00000002.336085792.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: JULY SOA.exe, 00000000.00000003.268400141.0000000005A79000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000000.00000003.267502782.0000000005A7A000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000000.00000003.267065355.0000000005A79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.monotype.
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.oaticerts.com/repository.
Source: JULY SOA.exe, 00000010.00000003.390489017.000000000613A000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
Source: JULY SOA.exe, 00000010.00000003.390747397.0000000006122000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: JULY SOA.exe, 00000010.00000003.390687013.0000000006158000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.390243547.0000000006149000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: JULY SOA.exe, 00000010.00000003.390489017.000000000613A000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.pki.gva.es/cps0
Source: JULY SOA.exe, 00000010.00000003.390489017.000000000613A000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.pki.gva.es/cps0%
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: JULY SOA.exe, 00000010.00000003.390489017.000000000613A000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
Source: JULY SOA.exe, 00000010.00000003.388386158.0000000006C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: JULY SOA.exe, 00000010.00000003.390489017.000000000613A000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.rcsc.lt/repository0
Source: JULY SOA.exe, 00000000.00000002.336085792.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: JULY SOA.exe, 00000000.00000003.259755927.0000000005A93000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000000.00000003.259833527.0000000005A93000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000000.00000003.259720705.0000000005A93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.comd
Source: JULY SOA.exe, 00000000.00000003.259856547.0000000005A94000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000000.00000003.259949062.0000000005A94000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000000.00000003.259755927.0000000005A93000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000000.00000003.259931334.0000000005A94000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000000.00000003.259833527.0000000005A93000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000000.00000003.259720705.0000000005A93000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000000.00000003.259785076.0000000005A94000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000000.00000003.259800398.0000000005A94000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000000.00000003.259902767.0000000005A93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.comhekc?:
Source: JULY SOA.exe, 00000000.00000002.336085792.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: JULY SOA.exe, 00000000.00000002.336085792.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000000.00000003.261364106.0000000005A79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: JULY SOA.exe, 00000000.00000003.261364106.0000000005A79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.krq
Source: JULY SOA.exe, 00000000.00000003.261364106.0000000005A79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.krt
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sk.ee/cps/0
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: JULY SOA.exe, 00000010.00000003.391149006.0000000006C40000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000002.563253922.000000000616E000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ssc.lt/cps03
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.suscerte.gob.ve/lcr0#
Source: JULY SOA.exe, 00000000.00000002.336085792.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: JULY SOA.exe, 00000000.00000003.260983281.0000000005A8B000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000000.00000003.261039384.0000000005A8B000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000000.00000003.261021740.0000000005A8B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.comT
Source: JULY SOA.exe, 00000000.00000003.260478619.0000000005A8B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.comco
Source: JULY SOA.exe, 00000000.00000003.260434349.0000000005A8B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.comnT
Source: JULY SOA.exe, 00000000.00000003.260461803.0000000005A8B000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000000.00000003.260478619.0000000005A8B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.comp
Source: JULY SOA.exe, 00000010.00000003.390243547.0000000006149000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: JULY SOA.exe, 00000000.00000002.336085792.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: JULY SOA.exe, 00000010.00000003.390243547.0000000006149000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: JULY SOA.exe, 00000010.00000003.390243547.0000000006149000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: JULY SOA.exe, 00000000.00000003.268400141.0000000005A79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.de
Source: JULY SOA.exe, 00000000.00000002.336085792.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: JULY SOA.exe, 00000000.00000003.268400141.0000000005A79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deI
Source: JULY SOA.exe, 00000000.00000002.336085792.0000000006CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: JULY SOA.exe, 00000010.00000003.390489017.000000000613A000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
Source: JULY SOA.exe, 00000010.00000002.562505783.00000000060F1000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000002.551057155.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, DnDcR.exe, 0000001B.00000002.551678919.000000000341A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: JULY SOA.exe, 00000010.00000002.562505783.00000000060F1000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000002.551057155.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, DnDcR.exe, 0000001B.00000002.551678919.000000000341A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: JULY SOA.exe, 00000010.00000002.535440551.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, DnDcR.exe, 0000001B.00000002.536397827.00000000030C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%
Source: JULY SOA.exe, 00000010.00000002.535440551.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, DnDcR.exe, 0000001B.00000002.536397827.00000000030C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%appdata
Source: JULY SOA.exe, 00000010.00000002.563109744.0000000006121000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: JULY SOA.exe, 00000010.00000003.390243547.0000000006149000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://eca.hinet.net/repository0
Source: JULY SOA.exe, 00000010.00000003.391149006.0000000006C40000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rca.e-szigno.hu/ocsp0
Source: JULY SOA.exe, 00000010.00000003.388386158.0000000006C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repository.luxtrust.lu0
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.389668840.0000000006159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: JULY SOA.exe, 00000010.00000002.563109744.0000000006121000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: JULY SOA.exe, 00000010.00000002.563109744.0000000006121000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: JULY SOA.exe, 00000010.00000002.563109744.0000000006121000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.anf.es/address/)1(0&
Source: JULY SOA.exe, 00000010.00000003.387953820.0000000006178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.catcert.net/verarrel
Source: JULY SOA.exe, 00000010.00000003.387953820.0000000006178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.catcert.net/verarrel05
Source: JULY SOA.exe, 00000010.00000003.387748722.0000000006C4F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.netlock.hu/docs/
Source: JULY SOA.exe, 00000010.00000003.388532755.000000000611C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.netlock.net/docs
Source: JULY SOA.exe, 00000010.00000002.535440551.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, DnDcR.exe, 0000001B.00000002.536397827.00000000030C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: JULY SOA.exe, 00000010.00000003.387953820.0000000006178000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: unknown DNS traffic detected: queries for: mail.palumalimited.com

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Users\user\Desktop\JULY SOA.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\JULY SOA.exe Jump to behavior
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_06447760 SetWindowsHookExW 0000000D,00000000,?,? 16_2_06447760

Spam, unwanted Advertisements and Ransom Demands
barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\JULY SOA.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 16.0.JULY SOA.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 16.0.JULY SOA.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 19.2.DnDcR.exe.43cbec8.1.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 19.2.DnDcR.exe.43cbec8.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.JULY SOA.exe.3bae2b0.3.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.JULY SOA.exe.3bae2b0.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 19.2.DnDcR.exe.43cbec8.1.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 19.2.DnDcR.exe.43cbec8.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.JULY SOA.exe.3be2ad0.2.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.JULY SOA.exe.3be2ad0.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.JULY SOA.exe.3bae2b0.3.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.JULY SOA.exe.3bae2b0.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 19.2.DnDcR.exe.32fd8f4.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.JULY SOA.exe.2a4d8b4.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.JULY SOA.exe.3ac8c30.1.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.JULY SOA.exe.3ac8c30.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.319820199.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000013.00000002.450194726.0000000004362000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000010.00000000.308754595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: JULY SOA.exe PID: 5808, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: JULY SOA.exe PID: 4972, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: DnDcR.exe PID: 2080, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
.NET source code contains very large array initializations
Source: 16.0.JULY SOA.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b725F2A01u002d418Fu002d4591u002d8BE2u002dDEB8CFCC3827u007d/u0033AE6CE3Cu002dFED2u002d4848u002d91E4u002d088382D94767.cs Large array initialization: .cctor: array initializer size 11641
Uses 32bit PE files
Source: JULY SOA.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 16.0.JULY SOA.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 16.0.JULY SOA.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 19.2.DnDcR.exe.43cbec8.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 19.2.DnDcR.exe.43cbec8.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.JULY SOA.exe.3bae2b0.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.JULY SOA.exe.3bae2b0.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 19.2.DnDcR.exe.43cbec8.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 19.2.DnDcR.exe.43cbec8.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.JULY SOA.exe.3be2ad0.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.JULY SOA.exe.3be2ad0.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.JULY SOA.exe.3bae2b0.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.JULY SOA.exe.3bae2b0.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 19.2.DnDcR.exe.32fd8f4.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.JULY SOA.exe.2a4d8b4.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.JULY SOA.exe.3ac8c30.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.JULY SOA.exe.3ac8c30.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.319820199.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000013.00000002.450194726.0000000004362000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000010.00000000.308754595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: JULY SOA.exe PID: 5808, type: MEMORYSTR Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
Source: Process Memory Space: JULY SOA.exe PID: 5808, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: JULY SOA.exe PID: 4972, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: DnDcR.exe PID: 2080, type: MEMORYSTR Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
Source: Process Memory Space: DnDcR.exe PID: 2080, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: DnDcR.exe PID: 3168, type: MEMORYSTR Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
Detected potential crypto function
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_01074FD0 0_2_01074FD0
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_0107C894 0_2_0107C894
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_01074FC0 0_2_01074FC0
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_0107F350 0_2_0107F350
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_0107F360 0_2_0107F360
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_05B6D5B8 0_2_05B6D5B8
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_05B6E5C8 0_2_05B6E5C8
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_05B65528 0_2_05B65528
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_05B62FF0 0_2_05B62FF0
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_05B64740 0_2_05B64740
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_05B69898 0_2_05B69898
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_05B60040 0_2_05B60040
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_05B64AD8 0_2_05B64AD8
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_05B65260 0_2_05B65260
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_05B6E5BA 0_2_05B6E5BA
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_05B65519 0_2_05B65519
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_05B6F650 0_2_05B6F650
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_05B6D9B0 0_2_05B6D9B0
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_05B6D99F 0_2_05B6D99F
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_05B64AC9 0_2_05B64AC9
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_05B6F278 0_2_05B6F278
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_05B6F268 0_2_05B6F268
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_05B65250 0_2_05B65250
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_07540F00 0_2_07540F00
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_07547F88 0_2_07547F88
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_0754CAD0 0_2_0754CAD0
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_0754B100 0_2_0754B100
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_07540040 0_2_07540040
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_0754C838 0_2_0754C838
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_0754B4D0 0_2_0754B4D0
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_075484A0 0_2_075484A0
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_07547F78 0_2_07547F78
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_0754BB18 0_2_0754BB18
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_07543718 0_2_07543718
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_07543708 0_2_07543708
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_07549BF8 0_2_07549BF8
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_07546FBC 0_2_07546FBC
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_07549BA8 0_2_07549BA8
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_07540E10 0_2_07540E10
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_07544230 0_2_07544230
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_07541E38 0_2_07541E38
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_07541E28 0_2_07541E28
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_075432D8 0_2_075432D8
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_075432C9 0_2_075432C9
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_07543550 0_2_07543550
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_07543540 0_2_07543540
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_0754C538 0_2_0754C538
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_07544190 0_2_07544190
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_0754B858 0_2_0754B858
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_07540006 0_2_07540006
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_07547008 0_2_07547008
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_07543091 0_2_07543091
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_075430A0 0_2_075430A0
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_0609B652 16_2_0609B652
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_06096308 16_2_06096308
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_0609B338 16_2_0609B338
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_060951C8 16_2_060951C8
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_060932A8 16_2_060932A8
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_06096118 16_2_06096118
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_061EDC63 16_2_061EDC63
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_061EE060 16_2_061EE060
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_061E60A8 16_2_061E60A8
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_061EA588 16_2_061EA588
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_061E19B0 16_2_061E19B0
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_061E0040 16_2_061E0040
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_061E9508 16_2_061E9508
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_061E1159 16_2_061E1159
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_061E2DA0 16_2_061E2DA0
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_0626AF38 16_2_0626AF38
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_06263288 16_2_06263288
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_06264AE8 16_2_06264AE8
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_06445648 16_2_06445648
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_064432D8 16_2_064432D8
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_06440040 16_2_06440040
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_06449440 16_2_06449440
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_0644001E 16_2_0644001E
Sample file is different than original file name gathered from version info
Source: JULY SOA.exe, 00000000.00000002.319820199.00000000039F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs JULY SOA.exe
Source: JULY SOA.exe, 00000000.00000002.319820199.00000000039F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRbhfKncGjBvSEEOOUbcR.exe4 vs JULY SOA.exe
Source: JULY SOA.exe, 00000000.00000002.319820199.00000000039F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamebIJjU.exeH vs JULY SOA.exe
Source: JULY SOA.exe, 00000000.00000002.313583973.00000000029F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs JULY SOA.exe
Source: JULY SOA.exe, 00000000.00000002.313583973.00000000029F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRbhfKncGjBvSEEOOUbcR.exe4 vs JULY SOA.exe
Source: JULY SOA.exe, 00000000.00000002.339227607.00000000074B0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs JULY SOA.exe
Source: JULY SOA.exe, 00000000.00000002.319691103.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs JULY SOA.exe
Source: JULY SOA.exe, 00000000.00000000.253007784.0000000000682000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamebIJjU.exeH vs JULY SOA.exe
Source: JULY SOA.exe, 00000010.00000002.522960121.0000000000B38000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs JULY SOA.exe
Source: JULY SOA.exe, 00000010.00000000.309230290.0000000000436000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRbhfKncGjBvSEEOOUbcR.exe4 vs JULY SOA.exe
Source: JULY SOA.exe, 00000010.00000003.319095097.00000000060E1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamebIJjU.exeH vs JULY SOA.exe
Source: JULY SOA.exe Binary or memory string: OriginalFilenamebIJjU.exeH vs JULY SOA.exe
Source: JULY SOA.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: qOHVWexsnI.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: DnDcR.exe.16.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: JULY SOA.exe Virustotal: Detection: 59%
Source: JULY SOA.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\Desktop\JULY SOA.exe File read: C:\Users\user\Desktop\JULY SOA.exe Jump to behavior
Source: JULY SOA.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\JULY SOA.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\JULY SOA.exe "C:\Users\user\Desktop\JULY SOA.exe"
Source: C:\Users\user\Desktop\JULY SOA.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qOHVWexsnI" /XML "C:\Users\user\AppData\Local\Temp\tmp3EB6.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\JULY SOA.exe Process created: C:\Users\user\Desktop\JULY SOA.exe {path}
Source: C:\Users\user\Desktop\JULY SOA.exe Process created: C:\Users\user\Desktop\JULY SOA.exe {path}
Source: C:\Users\user\Desktop\JULY SOA.exe Process created: C:\Users\user\Desktop\JULY SOA.exe {path}
Source: unknown Process created: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe "C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe "C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe"
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qOHVWexsnI" /XML "C:\Users\user\AppData\Local\Temp\tmp158E.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process created: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe {path}
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process created: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe {path}
Source: C:\Users\user\Desktop\JULY SOA.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qOHVWexsnI" /XML "C:\Users\user\AppData\Local\Temp\tmp3EB6.tmp Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process created: C:\Users\user\Desktop\JULY SOA.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process created: C:\Users\user\Desktop\JULY SOA.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process created: C:\Users\user\Desktop\JULY SOA.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qOHVWexsnI" /XML "C:\Users\user\AppData\Local\Temp\tmp158E.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process created: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process created: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\JULY SOA.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\JULY SOA.exe File created: C:\Users\user\AppData\Roaming\qOHVWexsnI.exe Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe File created: C:\Users\user\AppData\Local\Temp\tmp3EB6.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.adwa.spyw.evad.winEXE@19/10@4/2
Source: C:\Users\user\Desktop\JULY SOA.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: JULY SOA.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\JULY SOA.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Mutant created: \Sessions\1\BaseNamedObjects\vXPoPZNjXXibBWcgZq
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2292:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5496:120:WilError_01
Source: 16.0.JULY SOA.exe.400000.0.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 16.0.JULY SOA.exe.400000.0.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\JULY SOA.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\JULY SOA.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: JULY SOA.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: JULY SOA.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_05BB04B2 push edi; ret 0_2_05BB04B4
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_05BB08F5 push eax; iretd 0_2_05BB08F9
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_05BB2237 push cs; retf 0_2_05BB2241
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_0609165F push es; ret 16_2_060918C4
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_0609166B push es; ret 16_2_060918C4
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_06091663 push es; ret 16_2_060918C4
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_0609169B push es; ret 16_2_060918C4
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_0609169F push es; ret 16_2_060918C4
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_060916AB push es; ret 16_2_060918C4
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_060916A7 push es; ret 16_2_060918C4
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_060916B7 push es; ret 16_2_060918C4
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_06091789 push es; ret 16_2_060918C4
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_0609179B push es; ret 16_2_060918C4
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_06091793 push es; ret 16_2_060918C4
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_060917A1 push es; ret 16_2_060918C4
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_060917B9 push es; ret 16_2_060918C4
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_060917D1 push es; ret 16_2_060918C4
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_060917EB push es; ret 16_2_060918C4
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_0609181B push es; ret 16_2_060918C4
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_06091817 push es; ret 16_2_060918C4
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_06091827 push es; ret 16_2_060918C4
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_06091833 push es; ret 16_2_060918C4
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_06091863 push es; ret 16_2_060918C4
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_06091867 push es; ret 16_2_060918C4
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_0609187F push es; ret 16_2_060918C4
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_06091873 push es; ret 16_2_060918C4
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_060918AF push es; ret 16_2_06091910
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_060918BF push es; ret 16_2_06091910
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_060918B3 push es; ret 16_2_06091910
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_060918CB push es; ret 16_2_06091910
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_060918C5 push es; ret 16_2_06091910
Source: initial sample Static PE information: section name: .text entropy: 7.420583605513861
Source: initial sample Static PE information: section name: .text entropy: 7.420583605513861
Source: initial sample Static PE information: section name: .text entropy: 7.420583605513861
Drops PE files
Source: C:\Users\user\Desktop\JULY SOA.exe File created: C:\Users\user\AppData\Roaming\qOHVWexsnI.exe Jump to dropped file
Source: C:\Users\user\Desktop\JULY SOA.exe File created: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\JULY SOA.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qOHVWexsnI" /XML "C:\Users\user\AppData\Local\Temp\tmp3EB6.tmp
Source: C:\Users\user\Desktop\JULY SOA.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run DnDcR Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run DnDcR Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\JULY SOA.exe File opened: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\JULY SOA.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: JULY SOA.exe PID: 5808, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DnDcR.exe PID: 2080, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: JULY SOA.exe, 00000000.00000002.313583973.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, DnDcR.exe, 00000013.00000002.434546929.00000000032A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: JULY SOA.exe, 00000000.00000002.313583973.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, DnDcR.exe, 00000013.00000002.434546929.00000000032A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\JULY SOA.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\JULY SOA.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\JULY SOA.exe TID: 1428 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe TID: 1664 Thread sleep count: 9627 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe TID: 3496 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe TID: 1992 Thread sleep count: 9485 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\JULY SOA.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\JULY SOA.exe Window / User API: threadDelayed 9627 Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Window / User API: threadDelayed 9485
Contains functionality to detect virtual machines (SLDT)
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 0_2_05B6FEE1 sldt word ptr [eax] 0_2_05B6FEE1
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\JULY SOA.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\JULY SOA.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\JULY SOA.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Thread delayed: delay time: 922337203685477
Source: DnDcR.exe, 00000013.00000002.434546929.00000000032A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: DnDcR.exe, 00000013.00000002.434546929.00000000032A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: DnDcR.exe, 00000013.00000002.434546929.00000000032A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: DnDcR.exe, 00000013.00000002.434546929.00000000032A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: JULY SOA.exe, 00000010.00000002.562310812.00000000060E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: JULY SOA.exe, 00000010.00000003.382664498.0000000006BB7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: DnDcR.exe, 00000013.00000002.434546929.00000000032A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: DnDcR.exe, 00000013.00000002.434546929.00000000032A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: DnDcR.exe, 00000013.00000002.434546929.00000000032A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: DnDcR.exe, 00000013.00000002.434546929.00000000032A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: DnDcR.exe, 00000013.00000002.434546929.00000000032A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: JULY SOA.exe, 00000010.00000002.563359578.0000000006181000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.387953820.0000000006178000.00000004.00000800.00020000.00000000.sdmp, JULY SOA.exe, 00000010.00000003.382381731.0000000006180000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWd
Enables debug privileges
Source: C:\Users\user\Desktop\JULY SOA.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\JULY SOA.exe Code function: 16_2_060982F8 LdrInitializeThunk, 16_2_060982F8
Source: C:\Users\user\Desktop\JULY SOA.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\JULY SOA.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\JULY SOA.exe Memory written: C:\Users\user\Desktop\JULY SOA.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Memory written: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\JULY SOA.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qOHVWexsnI" /XML "C:\Users\user\AppData\Local\Temp\tmp3EB6.tmp Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process created: C:\Users\user\Desktop\JULY SOA.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process created: C:\Users\user\Desktop\JULY SOA.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Process created: C:\Users\user\Desktop\JULY SOA.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qOHVWexsnI" /XML "C:\Users\user\AppData\Local\Temp\tmp158E.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process created: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Process created: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe {path} Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Users\user\Desktop\JULY SOA.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Users\user\Desktop\JULY SOA.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Queries volume information: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Queries volume information: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Queries volume information: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\JULY SOA.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\JULY SOA.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 16.0.JULY SOA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.DnDcR.exe.43cbec8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JULY SOA.exe.3bae2b0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.DnDcR.exe.43cbec8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JULY SOA.exe.3be2ad0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JULY SOA.exe.3bae2b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JULY SOA.exe.3ac8c30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.319820199.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.450194726.0000000004362000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.308754595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.535440551.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.536397827.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: JULY SOA.exe PID: 5808, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: JULY SOA.exe PID: 4972, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DnDcR.exe PID: 2080, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DnDcR.exe PID: 3896, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\JULY SOA.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\JULY SOA.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\JULY SOA.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Yara detected Credential Stealer
Source: Yara match File source: 00000010.00000002.535440551.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.536397827.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: JULY SOA.exe PID: 4972, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DnDcR.exe PID: 3896, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 16.0.JULY SOA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.DnDcR.exe.43cbec8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JULY SOA.exe.3bae2b0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.DnDcR.exe.43cbec8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JULY SOA.exe.3be2ad0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JULY SOA.exe.3bae2b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JULY SOA.exe.3ac8c30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.319820199.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.450194726.0000000004362000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.308754595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.535440551.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.536397827.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: JULY SOA.exe PID: 5808, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: JULY SOA.exe PID: 4972, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DnDcR.exe PID: 2080, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DnDcR.exe PID: 3896, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 680518 Sample: JULY SOA.exe Startdate: 08/08/2022 Architecture: WINDOWS Score: 100 68 Malicious sample detected (through community Yara rule) 2->68 70 Multi AV Scanner detection for dropped file 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 11 other signatures 2->74 7 JULY SOA.exe 6 2->7         started        11 DnDcR.exe 5 2->11         started        13 DnDcR.exe 2 2->13         started        process3 file4 42 C:\Users\user\AppData\...\qOHVWexsnI.exe, PE32 7->42 dropped 44 C:\Users\user\AppData\Local\...\tmp3EB6.tmp, XML 7->44 dropped 46 C:\Users\user\AppData\...\JULY SOA.exe.log, ASCII 7->46 dropped 76 Injects a PE file into a foreign processes 7->76 15 JULY SOA.exe 2 5 7->15         started        20 schtasks.exe 1 7->20         started        22 JULY SOA.exe 7->22         started        24 JULY SOA.exe 7->24         started        78 Multi AV Scanner detection for dropped file 11->78 80 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->80 82 Machine Learning detection for dropped file 11->82 84 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->84 26 DnDcR.exe 11->26         started        28 schtasks.exe 1 11->28         started        30 DnDcR.exe 11->30         started        signatures5 process6 dnsIp7 48 mail.palumalimited.com 15->48 50 palumalimited.com 174.136.29.110, 49766, 49783, 587 IHNETUS United States 15->50 54 2 other IPs or domains 15->54 36 C:\Users\user\AppData\Roaming\...\DnDcR.exe, PE32 15->36 dropped 38 C:\Windows\System32\drivers\etc\hosts, ASCII 15->38 dropped 40 C:\Users\user\...\DnDcR.exe:Zone.Identifier, ASCII 15->40 dropped 56 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->56 58 Tries to steal Mail credentials (via file / registry access) 15->58 60 Modifies the hosts file 15->60 66 2 other signatures 15->66 32 conhost.exe 20->32         started        52 mail.palumalimited.com 26->52 62 Tries to harvest and steal ftp login credentials 26->62 64 Tries to harvest and steal browser information (history, passwords, etc) 26->64 34 conhost.exe 28->34         started        file8 signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
174.136.29.110
 palumalimited.com United States
33494 IHNETUS false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
palumalimited.com 174.136.29.110 true
windowsupdatebg.s.llnwi.net 178.79.225.128 true
mail.palumalimited.com unknown unknown