Edit tour

Windows Analysis Report
r8gcHFIf3x.exe

Overview

General Information

Sample name:	r8gcHFIf3x.exe renamed because original name is a hash value
Original sample name:	0515dceafb2ac3a01d779111aabc07e0876b573b67df42af4e183243e7c506ff.exe
Analysis ID:	1546359
MD5:	71e459322fc143c6f54fa4075bbea27f
SHA1:	91926031ae3212e02ac61236d89fc5e7cdb82655
SHA256:	0515dceafb2ac3a01d779111aabc07e0876b573b67df42af4e183243e7c506ff
Tags:	exeuser-Chainskilabs
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files with benign system names

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: System File Execution Location Anomaly

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

r8gcHFIf3x.exe (PID: 6200 cmdline: "C:\Users\user\Desktop\r8gcHFIf3x.exe" MD5: 71E459322FC143C6F54FA4075BBEA27F)

svchost.exe (PID: 5040 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: 71E459322FC143C6F54FA4075BBEA27F)

svchost.exe (PID: 5956 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: 71E459322FC143C6F54FA4075BBEA27F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["23.ip.gl.ply.gg", "127.0.0.1"], "Port": "40630", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
r8gcHFIf3x.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
r8gcHFIf3x.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xd444:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xd4e1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xd5f6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xd09a:$cnc4: POST / HTTP/1.1

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\svchost.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Roaming\svchost.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xd444:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xd4e1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xd5f6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xd09a:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4127638829.0000000013251000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.4127638829.0000000013251000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x5f04:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5fa1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x60b6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x5b5a:$cnc4: POST / HTTP/1.1
00000000.00000000.1662726920.0000000000F22000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1662726920.0000000000F22000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xd244:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xd2e1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xd3f6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xce9a:$cnc4: POST / HTTP/1.1
Process Memory Space: r8gcHFIf3x.exe PID: 6200	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.r8gcHFIf3x.exe.f20000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.r8gcHFIf3x.exe.f20000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xd444:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xd4e1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xd5f6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xd09a:$cnc4: POST / HTTP/1.1

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\r8gcHFIf3x.exe, ProcessId: 6200, TargetFilename: C:\Users\user\AppData\Roaming\svchost.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 5040, ProcessName: svchost.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\svchost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\r8gcHFIf3x.exe, ProcessId: 6200, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\r8gcHFIf3x.exe, ProcessId: 6200, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 5040, ProcessName: svchost.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T20:09:14.606055+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.4	49735	TCP
2024-10-31T20:09:53.611751+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.4	49746	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T20:11:41.609504+0100	2853193	1	Malware Command and Control Activity Detected	192.168.2.4	50029	147.185.221.23	40630	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: r8gcHFIf3x.exe

Malware Configuration Extractor: Xworm {"C2 url": ["23.ip.gl.ply.gg", "127.0.0.1"], "Port": "40630", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\svchost.exe

ReversingLabs: Detection: 81%

Multi AV Scanner detection for submitted file

Source: r8gcHFIf3x.exe

ReversingLabs: Detection: 81%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\svchost.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: r8gcHFIf3x.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: r8gcHFIf3x.exe	String decryptor: 23.ip.gl.ply.gg,127.0.0.1
Source: r8gcHFIf3x.exe	String decryptor: 40630
Source: r8gcHFIf3x.exe	String decryptor: <123456789>
Source: r8gcHFIf3x.exe	String decryptor: <Xwormmm>
Source: r8gcHFIf3x.exe	String decryptor: XWorm V5.6
Source: r8gcHFIf3x.exe	String decryptor: USB.exe
Source: r8gcHFIf3x.exe	String decryptor: %AppData%
Source: r8gcHFIf3x.exe	String decryptor: svchost.exe

Source: r8gcHFIf3x.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: r8gcHFIf3x.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49845 -> 147.185.221.23:40630
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:50029 -> 147.185.221.23:40630

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 23.ip.gl.ply.gg
Source: Malware configuration extractor	URLs: 127.0.0.1

Source: global traffic

TCP traffic: 192.168.2.4:49742 -> 147.185.221.23:40630

Source: Joe Sandbox View

IP Address: 147.185.221.23 147.185.221.23

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.4:49735
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.4:49746

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 23.ip.gl.ply.gg

Source: r8gcHFIf3x.exe, 00000000.00000002.4126190732.0000000003241000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Malicious sample detected (through community Yara rule)

Source: r8gcHFIf3x.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.r8gcHFIf3x.exe.f20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.4127638829.0000000013251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1662726920.0000000000F22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Code function: 0_2_00007FFD9B898062	0_2_00007FFD9B898062
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Code function: 0_2_00007FFD9B891289	0_2_00007FFD9B891289
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Code function: 0_2_00007FFD9B8972B6	0_2_00007FFD9B8972B6
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 1_2_00007FFD9B8B1289	1_2_00007FFD9B8B1289
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 3_2_00007FFD9B8B1289	3_2_00007FFD9B8B1289

Source: r8gcHFIf3x.exe, 00000000.00000002.4127638829.000000001329A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs r8gcHFIf3x.exe
Source: r8gcHFIf3x.exe, 00000000.00000000.1662749871.0000000000F74000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs r8gcHFIf3x.exe
Source: r8gcHFIf3x.exe	Binary or memory string: OriginalFilenameXClient.exe4 vs r8gcHFIf3x.exe

Source: r8gcHFIf3x.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: r8gcHFIf3x.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.r8gcHFIf3x.exe.f20000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.4127638829.0000000013251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1662726920.0000000000F22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: r8gcHFIf3x.exe, pxtEtrZjCmY2xgTvKt0E3Wv3ytzkEjOAFr.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: r8gcHFIf3x.exe, pxtEtrZjCmY2xgTvKt0E3Wv3ytzkEjOAFr.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: r8gcHFIf3x.exe, pho3rSOmHqcbUnlzXgy8Bagz4JE3YuNdti.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.0.dr, pxtEtrZjCmY2xgTvKt0E3Wv3ytzkEjOAFr.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.0.dr, pxtEtrZjCmY2xgTvKt0E3Wv3ytzkEjOAFr.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.0.dr, pho3rSOmHqcbUnlzXgy8Bagz4JE3YuNdti.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: svchost.exe.0.dr, YzIGmiPgKJnYbfyfkZHjnmJHHAU8M65EWIsfycHGCX6KDORFPNUxl7rxmKvK6UsGxkdV0p4nFlvmUWh17alqYY33cFmX.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: svchost.exe.0.dr, YzIGmiPgKJnYbfyfkZHjnmJHHAU8M65EWIsfycHGCX6KDORFPNUxl7rxmKvK6UsGxkdV0p4nFlvmUWh17alqYY33cFmX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: r8gcHFIf3x.exe, YzIGmiPgKJnYbfyfkZHjnmJHHAU8M65EWIsfycHGCX6KDORFPNUxl7rxmKvK6UsGxkdV0p4nFlvmUWh17alqYY33cFmX.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: r8gcHFIf3x.exe, YzIGmiPgKJnYbfyfkZHjnmJHHAU8M65EWIsfycHGCX6KDORFPNUxl7rxmKvK6UsGxkdV0p4nFlvmUWh17alqYY33cFmX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/3@2/2

Source: C:\Users\user\Desktop\r8gcHFIf3x.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to behavior

Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Mutant created: \Sessions\1\BaseNamedObjects\VdX3velzFq0rtigH
Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: NULL

Source: r8gcHFIf3x.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: r8gcHFIf3x.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\r8gcHFIf3x.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\r8gcHFIf3x.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: r8gcHFIf3x.exe

ReversingLabs: Detection: 81%

Source: C:\Users\user\Desktop\r8gcHFIf3x.exe

File read: C:\Users\user\Desktop\r8gcHFIf3x.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\r8gcHFIf3x.exe "C:\Users\user\Desktop\r8gcHFIf3x.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"

Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\r8gcHFIf3x.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Jump to behavior

Source: svchost.lnk.0.dr

LNK file: ..\..\..\..\..\svchost.exe

Source: r8gcHFIf3x.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: r8gcHFIf3x.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: r8gcHFIf3x.exe, tpeocHLsTaOhXVtWwkN8L95AXK083dgzOlfI8QUcW5aDC4b3Ktet96cExtHlbI2fQSJmlo5j9tppmccAQKdpDsq2Z2sz.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{YgFE4kXx0wxgkpRzAZb5RwGdnThqFjuhpfw2CfzqLn9Ae9tBMmdHXMOY28DrFrEWBXGCq4pGP5yI8OJkxWOtOXcaHyfn.xT3t9bMqv2L437TOhtNVSFeWry5fDgUOubCKt8zH2GtMmXgdp2cXdUDKmT8tjq05pP5DyyAs5iM7MUrRhkVeuFLOv7F6,YgFE4kXx0wxgkpRzAZb5RwGdnThqFjuhpfw2CfzqLn9Ae9tBMmdHXMOY28DrFrEWBXGCq4pGP5yI8OJkxWOtOXcaHyfn.Q4A2sZ2cdl2dk7hqDJXk7A1wFw2mzzBEbe3LHHloWngyd4vXP3fR3r3Kfnj94TQuKclWlEY6UwdKsfU3Oo4R6jwseRx0,YgFE4kXx0wxgkpRzAZb5RwGdnThqFjuhpfw2CfzqLn9Ae9tBMmdHXMOY28DrFrEWBXGCq4pGP5yI8OJkxWOtOXcaHyfn.m7zlEJVIt5RZw68dKns3lZXHzG8ngwyibMmX0NOyM9XZjpgKIHYAdP20azX9Fycxa4zBANbOYWNr99DldvFQokBq6EpH,YgFE4kXx0wxgkpRzAZb5RwGdnThqFjuhpfw2CfzqLn9Ae9tBMmdHXMOY28DrFrEWBXGCq4pGP5yI8OJkxWOtOXcaHyfn.PbC64ZrgSMPRqMvCxQZugn5eWlhspR8GeCArNBLr8VCL6HGrps7SKpzBiRW1JDX8QPSABwVkvulKnk8IEAWwVJPlNdbJ,pxtEtrZjCmY2xgTvKt0E3Wv3ytzkEjOAFr.Qn1MNxQL9Ko2Z4j5bCf19ikDidJY0de3hn()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: r8gcHFIf3x.exe, tpeocHLsTaOhXVtWwkN8L95AXK083dgzOlfI8QUcW5aDC4b3Ktet96cExtHlbI2fQSJmlo5j9tppmccAQKdpDsq2Z2sz.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{nR0twHRFAp04To9YwddNY09R6Ctu2FDz1A[2],pxtEtrZjCmY2xgTvKt0E3Wv3ytzkEjOAFr.Qo2Hp77EYBRZYWkTQAQTEd6hGUPSHDylkc(Convert.FromBase64String(nR0twHRFAp04To9YwddNY09R6Ctu2FDz1A[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: svchost.exe.0.dr, tpeocHLsTaOhXVtWwkN8L95AXK083dgzOlfI8QUcW5aDC4b3Ktet96cExtHlbI2fQSJmlo5j9tppmccAQKdpDsq2Z2sz.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{YgFE4kXx0wxgkpRzAZb5RwGdnThqFjuhpfw2CfzqLn9Ae9tBMmdHXMOY28DrFrEWBXGCq4pGP5yI8OJkxWOtOXcaHyfn.xT3t9bMqv2L437TOhtNVSFeWry5fDgUOubCKt8zH2GtMmXgdp2cXdUDKmT8tjq05pP5DyyAs5iM7MUrRhkVeuFLOv7F6,YgFE4kXx0wxgkpRzAZb5RwGdnThqFjuhpfw2CfzqLn9Ae9tBMmdHXMOY28DrFrEWBXGCq4pGP5yI8OJkxWOtOXcaHyfn.Q4A2sZ2cdl2dk7hqDJXk7A1wFw2mzzBEbe3LHHloWngyd4vXP3fR3r3Kfnj94TQuKclWlEY6UwdKsfU3Oo4R6jwseRx0,YgFE4kXx0wxgkpRzAZb5RwGdnThqFjuhpfw2CfzqLn9Ae9tBMmdHXMOY28DrFrEWBXGCq4pGP5yI8OJkxWOtOXcaHyfn.m7zlEJVIt5RZw68dKns3lZXHzG8ngwyibMmX0NOyM9XZjpgKIHYAdP20azX9Fycxa4zBANbOYWNr99DldvFQokBq6EpH,YgFE4kXx0wxgkpRzAZb5RwGdnThqFjuhpfw2CfzqLn9Ae9tBMmdHXMOY28DrFrEWBXGCq4pGP5yI8OJkxWOtOXcaHyfn.PbC64ZrgSMPRqMvCxQZugn5eWlhspR8GeCArNBLr8VCL6HGrps7SKpzBiRW1JDX8QPSABwVkvulKnk8IEAWwVJPlNdbJ,pxtEtrZjCmY2xgTvKt0E3Wv3ytzkEjOAFr.Qn1MNxQL9Ko2Z4j5bCf19ikDidJY0de3hn()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: svchost.exe.0.dr, tpeocHLsTaOhXVtWwkN8L95AXK083dgzOlfI8QUcW5aDC4b3Ktet96cExtHlbI2fQSJmlo5j9tppmccAQKdpDsq2Z2sz.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{nR0twHRFAp04To9YwddNY09R6Ctu2FDz1A[2],pxtEtrZjCmY2xgTvKt0E3Wv3ytzkEjOAFr.Qo2Hp77EYBRZYWkTQAQTEd6hGUPSHDylkc(Convert.FromBase64String(nR0twHRFAp04To9YwddNY09R6Ctu2FDz1A[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: r8gcHFIf3x.exe, tpeocHLsTaOhXVtWwkN8L95AXK083dgzOlfI8QUcW5aDC4b3Ktet96cExtHlbI2fQSJmlo5j9tppmccAQKdpDsq2Z2sz.cs	.Net Code: AkXev93FSuWdPKLUrKCQFADuOpAxsZMNuaZPaMugnaPyCsEp0doSUtIc2fStj0EDUYpx1CD9sSBtVOSpSFOPLWyZSU3f System.AppDomain.Load(byte[])
Source: r8gcHFIf3x.exe, tpeocHLsTaOhXVtWwkN8L95AXK083dgzOlfI8QUcW5aDC4b3Ktet96cExtHlbI2fQSJmlo5j9tppmccAQKdpDsq2Z2sz.cs	.Net Code: IqvHyogxhMKuogzYB2b0Snzapy9KHTHBhN System.AppDomain.Load(byte[])
Source: r8gcHFIf3x.exe, tpeocHLsTaOhXVtWwkN8L95AXK083dgzOlfI8QUcW5aDC4b3Ktet96cExtHlbI2fQSJmlo5j9tppmccAQKdpDsq2Z2sz.cs	.Net Code: IqvHyogxhMKuogzYB2b0Snzapy9KHTHBhN
Source: svchost.exe.0.dr, tpeocHLsTaOhXVtWwkN8L95AXK083dgzOlfI8QUcW5aDC4b3Ktet96cExtHlbI2fQSJmlo5j9tppmccAQKdpDsq2Z2sz.cs	.Net Code: AkXev93FSuWdPKLUrKCQFADuOpAxsZMNuaZPaMugnaPyCsEp0doSUtIc2fStj0EDUYpx1CD9sSBtVOSpSFOPLWyZSU3f System.AppDomain.Load(byte[])
Source: svchost.exe.0.dr, tpeocHLsTaOhXVtWwkN8L95AXK083dgzOlfI8QUcW5aDC4b3Ktet96cExtHlbI2fQSJmlo5j9tppmccAQKdpDsq2Z2sz.cs	.Net Code: IqvHyogxhMKuogzYB2b0Snzapy9KHTHBhN System.AppDomain.Load(byte[])
Source: svchost.exe.0.dr, tpeocHLsTaOhXVtWwkN8L95AXK083dgzOlfI8QUcW5aDC4b3Ktet96cExtHlbI2fQSJmlo5j9tppmccAQKdpDsq2Z2sz.cs	.Net Code: IqvHyogxhMKuogzYB2b0Snzapy9KHTHBhN

Source: r8gcHFIf3x.exe, Nzn4QmVYYfjF5KbF2n413Arg37qvJHChOb.cs	High entropy of concatenated method names: 'W1X0XcD8t5zr4KxTapiVtTepEbiWCbhwXv', 'Elst2oNJcpq7eOKiUgDVj9bNVhi12zpuU2', 'nt3B5DwU8SXyZroDbGayYtEqZwPCZfpGKF', 'pIhgMyWVHTN4nBw6khBjkwFaimY441RZ4OHDynQJONSSQ0T2wFJWbePXsAaBKFPfhk', 'nI4SYB79cKikwOv0iqntsUN5SJtbEpAnSFA1MU3XanSFXc0qs4zRxpJE4QKwB71o9l', 'MSXYrMoEq91Bs7bw0BlCOFLv99UYwLW1GTJoou0IW1lp9JnmBaIADFAn2Qx6IZSt2X', 'JR9MyLrxZmZE9wb8xcl3WPptRb67sRcWoxI5RFuMaVolSQ1llOOdtpRK7rUIb1z5BZ', '_37XDzhRSid7tETTfHcNCBgTsEW4nE8Vk63cjyQ5fCZl5UhDfWWgH7mVyrvOVobZcAh', 'rQqominxLA9seeM4CoEI3lbeXtcW8MiGsnDVrbREfmDMIgzim9X2kaSn52hBqWaNKt', '_1Xe95kpMnQFY1wa3kgwq2mAMh1l2LOVMalQuyiZ9FYfilHW2VeuzkwCzaehSAsLpZR'
Source: r8gcHFIf3x.exe, YgFE4kXx0wxgkpRzAZb5RwGdnThqFjuhpfw2CfzqLn9Ae9tBMmdHXMOY28DrFrEWBXGCq4pGP5yI8OJkxWOtOXcaHyfn.cs	High entropy of concatenated method names: '_0mZlS0jhwuO3v54pxVdjfaqbNtkwiujJDi', 'Z0EeZ65YYWEsJdBCGPzGLGqp5XbChzgYlT', 'EPZ9TUP3C33nZmOvURcyvEtFkPPiGnqZnp', 'AGorOGLMiLaydWMRxHimC3YBZtSZJH8atS'
Source: r8gcHFIf3x.exe, tfgVm6D8umxIfo1dHPpt2RJAjyYw7BPXwLl82ZqQ8ZyYJhcBtWqjDJwpM0492aPlynPaj5BCvTusiY0pAmNFtqVdJX8T.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_1aZx0kNkRYHwYJC66Ap4n8Mv16RQWMJrPj', 'O7WHTQj3hnbsi7IEMsHmI5NpiNC4Hc0fOW', 'DEuAhpYpiYCyoKQT8StAgI78MShNlC72bB', 'FRQfv79jbHQtbXBwPo8rdSxU5xq64qAzSF'
Source: r8gcHFIf3x.exe, tpeocHLsTaOhXVtWwkN8L95AXK083dgzOlfI8QUcW5aDC4b3Ktet96cExtHlbI2fQSJmlo5j9tppmccAQKdpDsq2Z2sz.cs	High entropy of concatenated method names: 'xzLWdTT4Gb2FJRdaah6MV6qa4lKtbwpT9OTIYA5eAUhFS3feifzmxHhCRsYUSviZxrhCcjEZx7zWW4eNeY1V0Hkarz8V', 'AkXev93FSuWdPKLUrKCQFADuOpAxsZMNuaZPaMugnaPyCsEp0doSUtIc2fStj0EDUYpx1CD9sSBtVOSpSFOPLWyZSU3f', 'RxopihD9ffEjjZngLigJW4hxmRXVuScSCSjwGHmxvL7oqOlk8SV2sBNBQRiyo2sFEnxMDa9yh9n3MnOSfYAMdhzt1ogv', 'NmGjcCUZ49RlWuXs1CJVCyyXCKDdu1f9zpxU4snxfGQn24vbR2mWD2vGxwMymqzQJariEAqo9sNSvM030mnTvbG8eklM', 'hraADK1pVojBr0AW9NkSDq67ttn7r38nfLBXdPaAg8ftE6vI0Gm4lZV3KqRIEwTmBikeeUn6DzBohwrzxTI8C5lPwWSp', 'vTnpzA97zexXeV1l1jGC8NXjrM3e2yIR9dY2CjQFfRAjlSRhiO2lsVmj1qXqTVqV8bm7sbaKPoKiuahI7Vnjpg1w6z8A', 'P51HgDNJ7OH3arFKxzFvFYqjsMdTGH5c9ctGBTSNbqsJlzh8mwQZ2CaCplot6AKmqMnEjAHx3bPf1uXpFLF0LudXLCM2', 'H2ahoUWnWyyoSd5CXU8wIY9CUpeC0x2Z7Tp0gAPiIPxcmsx4i2DMVFzuAABDzvPaf2Cf5YMJN94eishQepiIKRuP5Usg', 'myx2lCFg8uw0h4Edvs3gRjgfgIjOMfag3w', 'Ww8ZRSO5YbWDgF3GhcNEWehckuCi7YSOfx'
Source: r8gcHFIf3x.exe, YzIGmiPgKJnYbfyfkZHjnmJHHAU8M65EWIsfycHGCX6KDORFPNUxl7rxmKvK6UsGxkdV0p4nFlvmUWh17alqYY33cFmX.cs	High entropy of concatenated method names: 'jjO0O2jqL8vmR9Chd0qR5eQRKHO1GyJT0kUPmnmQtDs2VLV40xzb6Rs4TagHULzAVoZLKnngM60FjcGBzu89DmTQI8vJ', 'kjhXWJSokhOtFfqu8NDIUrAD19dRivDF3StU1mj38dyv0wmsq5wRzXB2bRfJJzmUk82EtbfShYpx1RFuFxZKfESAQBEh', '_1UZH3tTApbrChxltnHeq6xEZ60HzDN0wp0HZPB78EArM7wTdkpOl2mMmoXMNzufUYPqfcp10W8nVohoHcsyJTWhxURnz', 'TNR0TFYwaS00LfDWiN9vdgjBftaFd9ukJBSlPQaQqSFcFovTM6FnUL4JrN2armr0ZUDCxfnqdsgYznwQFSixVk6mkPzL', 'z7Htu8z2E3jX6MUgCR6BbVjw2bM4dyVI9ak8PQclYUCDzDu8djVw7P7iSXZJHfUE9lO0OeuwYaML9Gj0JV1e3DDC5DbD', 'dvALSphKd8LdHbaXin6qbEhqpORwTsrkpJ6fovuUXPp2AbNSBD7BRbm7bIyCtpORtSGnD9e2BJDquGHdTx2ODPOeizVu', 'L0K2CN12pdjPf924idUEA5xeup8i2HPgZ3hBgMAPZCrw1qjkMk9AsuUD0F3iTseAqEFAF5upgZDXO4i72oWcA805HmmE', 'rU2AG5th59Fb7E9OZMr0FHTp2ECAfhy3UJI1q7K8NBkBAmothVeaK1puiEO2Dj6amyvFDm7sSB7uMAba7m8SDOLYUQs3', 'AwHXNOrsSWKO9ENisqKTOyxRYhUZ8nYJWi9Rz6ozmhGjEx1HEoFJjQVKCrLZkc1pZHewWWesF8SuTAmWGaabKo8zmXYV', 'SJry6YPU5zZN7CDG9yDQ8VKcHJvKvjVVZxS3x4OhNa4aYnvwMjQqo4QMe2flsmKvXp6B8IflWehOFEebfMKyxiqohBYT'
Source: r8gcHFIf3x.exe, pxtEtrZjCmY2xgTvKt0E3Wv3ytzkEjOAFr.cs	High entropy of concatenated method names: 'Uhznn11mf6B0rRRYiTsSudEI85opxeON3V', 'jrdcgsri4CHBg6yraaoEcuLv4pse9OQd8P', 'pONd1qDfZpQzwkM9DshCvaDQ2SyZetQzxw', 'LN67S4aP909G2NZWx9wYMEfixD1xr06HTc', 'akoV1HslHfgbmaQaVcEmEueCwZ4P1v0bBl', 'ThShI1Qk4nypZOLt7B2Sym28MgPcoNpCfn', '_4MnPrgMTp3szGoClp4QwJfuHZWEpOtVeF5', 'DKO0hhqMATBoqoEV9qRtkiTQ5CDXaY7iwJ', '_0g1uxrjbqAaAskK8NMHAalLca0juxaKKOK', 'GklncdwpNglacw2anC7h3wmGIbHwXqOq1I'
Source: r8gcHFIf3x.exe, pho3rSOmHqcbUnlzXgy8Bagz4JE3YuNdti.cs	High entropy of concatenated method names: '_0icrunfexnMxtINK7LezMekONnryqXUocz', 'OB25gU0MW5oT87UEd6FXBmUsJlWZYVFMb4tIJ8lfXq8XoixMFIdWrUU3jdg8ADkBxQ', 'nn1FcqgizBCETFZInEquMNRhxp4mTiuHw0HxUNi3sqKR1oLtnbBHtuZKpzYwGcQeaZ', 'WDWyf7ocNJxOauFHmxSe8x1GT9dKVN0dOdA2KZg00YEX0s1NPMWsyg39pBRKNCHhkk', 'PGK2GzYVqSvO5APWHdhb4Za8EJ7ghvm5ywnKRRqbxhNcpMkRs7SFUYaBmnqxe0pMKh'
Source: r8gcHFIf3x.exe, MtvKIjJV4EBaEvHD8rGhwbnf7R7wcR7zxg.cs	High entropy of concatenated method names: 'HDwog3vtkOIDxgZNUCFu8rQUJMTlrXbM1Q', 'KuPE3Iuyxr1nlP381V8cH6e5G621iDeSdgHrh5rFC8ashlCvEukUiPzbnjr1oUWAij', 'PJBPo57VNwCjjajYAARf0C0FjBRW2U3i5U4Z6DpZNocDecM2BcGwXI8KgaHnyB42nv', 'qFM3lHeZ0bApEMBegX6qWPCPcrkm0WBjNTAgQzugiZyUX1QtqCPqPjZJfORqHUHapz', 'XymJZkmtVxAiG2EyR18EN2dh4R8ytc6RIOAr9LR0sHgrjvC0qFH7Vq8iMejAcHClKC'
Source: r8gcHFIf3x.exe, 8MyZ0VKDRsvCYuSMWMje1VOY4Yodx0mEmcCuwdf0d5IIenIlnwtKU8Cjtgi26pQNhG6X4f1X4GnovSJMgUGK3GrZYND4.cs	High entropy of concatenated method names: 'oszdFmqhQQRBmLmKMJfCh9xJdluKkajSsc9uvkwAWNM8EA6Ss8NXxbxdPvCtMt2R6FI3zD1vk49qANODuEFdbqhncvTS', 'Q6vwQVyaLPr17iFFUGDE9GOiw2pmMN7qlIgDUrs60LJ2dp9AQWdtoi9GRctOpRnfAB6ZuOWwisfnweJ7SeBPYrebDxXo', 'AAU8KvF5gTWN2XxQqvyYYXAIpPl1XrX7JaDYVQDW51H7IVdj7mMNekudtvIBlj87YDSW9ddl1uBMfWQzC69wom91MIYA', 'hPNIcK9XI9hmicPhRnl22atq5dzRC6ENsX', 'w6qbrGs4SEQV7tSZXlx6yKcZnQaTfZN4U3', 'sTXNrOXsuzmUyuStLc9vvITHwrETZiSQ12', 'V3zF0OxkUO2Z4ZoxVugpRZQTL7ECzCBCbL', '_6LpD3k1wr1z8AFRmgyOX6BwTPgtjnopZhK', 'fJPyYpkpsdwJ9DJZjbk6L4fqSRVMY3HRxy', 'rlph7BuQ8hQh4e4VTFVH7HVEtO8J91yqGy'
Source: svchost.exe.0.dr, Nzn4QmVYYfjF5KbF2n413Arg37qvJHChOb.cs	High entropy of concatenated method names: 'W1X0XcD8t5zr4KxTapiVtTepEbiWCbhwXv', 'Elst2oNJcpq7eOKiUgDVj9bNVhi12zpuU2', 'nt3B5DwU8SXyZroDbGayYtEqZwPCZfpGKF', 'pIhgMyWVHTN4nBw6khBjkwFaimY441RZ4OHDynQJONSSQ0T2wFJWbePXsAaBKFPfhk', 'nI4SYB79cKikwOv0iqntsUN5SJtbEpAnSFA1MU3XanSFXc0qs4zRxpJE4QKwB71o9l', 'MSXYrMoEq91Bs7bw0BlCOFLv99UYwLW1GTJoou0IW1lp9JnmBaIADFAn2Qx6IZSt2X', 'JR9MyLrxZmZE9wb8xcl3WPptRb67sRcWoxI5RFuMaVolSQ1llOOdtpRK7rUIb1z5BZ', '_37XDzhRSid7tETTfHcNCBgTsEW4nE8Vk63cjyQ5fCZl5UhDfWWgH7mVyrvOVobZcAh', 'rQqominxLA9seeM4CoEI3lbeXtcW8MiGsnDVrbREfmDMIgzim9X2kaSn52hBqWaNKt', '_1Xe95kpMnQFY1wa3kgwq2mAMh1l2LOVMalQuyiZ9FYfilHW2VeuzkwCzaehSAsLpZR'
Source: svchost.exe.0.dr, YgFE4kXx0wxgkpRzAZb5RwGdnThqFjuhpfw2CfzqLn9Ae9tBMmdHXMOY28DrFrEWBXGCq4pGP5yI8OJkxWOtOXcaHyfn.cs	High entropy of concatenated method names: '_0mZlS0jhwuO3v54pxVdjfaqbNtkwiujJDi', 'Z0EeZ65YYWEsJdBCGPzGLGqp5XbChzgYlT', 'EPZ9TUP3C33nZmOvURcyvEtFkPPiGnqZnp', 'AGorOGLMiLaydWMRxHimC3YBZtSZJH8atS'
Source: svchost.exe.0.dr, tfgVm6D8umxIfo1dHPpt2RJAjyYw7BPXwLl82ZqQ8ZyYJhcBtWqjDJwpM0492aPlynPaj5BCvTusiY0pAmNFtqVdJX8T.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_1aZx0kNkRYHwYJC66Ap4n8Mv16RQWMJrPj', 'O7WHTQj3hnbsi7IEMsHmI5NpiNC4Hc0fOW', 'DEuAhpYpiYCyoKQT8StAgI78MShNlC72bB', 'FRQfv79jbHQtbXBwPo8rdSxU5xq64qAzSF'
Source: svchost.exe.0.dr, tpeocHLsTaOhXVtWwkN8L95AXK083dgzOlfI8QUcW5aDC4b3Ktet96cExtHlbI2fQSJmlo5j9tppmccAQKdpDsq2Z2sz.cs	High entropy of concatenated method names: 'xzLWdTT4Gb2FJRdaah6MV6qa4lKtbwpT9OTIYA5eAUhFS3feifzmxHhCRsYUSviZxrhCcjEZx7zWW4eNeY1V0Hkarz8V', 'AkXev93FSuWdPKLUrKCQFADuOpAxsZMNuaZPaMugnaPyCsEp0doSUtIc2fStj0EDUYpx1CD9sSBtVOSpSFOPLWyZSU3f', 'RxopihD9ffEjjZngLigJW4hxmRXVuScSCSjwGHmxvL7oqOlk8SV2sBNBQRiyo2sFEnxMDa9yh9n3MnOSfYAMdhzt1ogv', 'NmGjcCUZ49RlWuXs1CJVCyyXCKDdu1f9zpxU4snxfGQn24vbR2mWD2vGxwMymqzQJariEAqo9sNSvM030mnTvbG8eklM', 'hraADK1pVojBr0AW9NkSDq67ttn7r38nfLBXdPaAg8ftE6vI0Gm4lZV3KqRIEwTmBikeeUn6DzBohwrzxTI8C5lPwWSp', 'vTnpzA97zexXeV1l1jGC8NXjrM3e2yIR9dY2CjQFfRAjlSRhiO2lsVmj1qXqTVqV8bm7sbaKPoKiuahI7Vnjpg1w6z8A', 'P51HgDNJ7OH3arFKxzFvFYqjsMdTGH5c9ctGBTSNbqsJlzh8mwQZ2CaCplot6AKmqMnEjAHx3bPf1uXpFLF0LudXLCM2', 'H2ahoUWnWyyoSd5CXU8wIY9CUpeC0x2Z7Tp0gAPiIPxcmsx4i2DMVFzuAABDzvPaf2Cf5YMJN94eishQepiIKRuP5Usg', 'myx2lCFg8uw0h4Edvs3gRjgfgIjOMfag3w', 'Ww8ZRSO5YbWDgF3GhcNEWehckuCi7YSOfx'
Source: svchost.exe.0.dr, YzIGmiPgKJnYbfyfkZHjnmJHHAU8M65EWIsfycHGCX6KDORFPNUxl7rxmKvK6UsGxkdV0p4nFlvmUWh17alqYY33cFmX.cs	High entropy of concatenated method names: 'jjO0O2jqL8vmR9Chd0qR5eQRKHO1GyJT0kUPmnmQtDs2VLV40xzb6Rs4TagHULzAVoZLKnngM60FjcGBzu89DmTQI8vJ', 'kjhXWJSokhOtFfqu8NDIUrAD19dRivDF3StU1mj38dyv0wmsq5wRzXB2bRfJJzmUk82EtbfShYpx1RFuFxZKfESAQBEh', '_1UZH3tTApbrChxltnHeq6xEZ60HzDN0wp0HZPB78EArM7wTdkpOl2mMmoXMNzufUYPqfcp10W8nVohoHcsyJTWhxURnz', 'TNR0TFYwaS00LfDWiN9vdgjBftaFd9ukJBSlPQaQqSFcFovTM6FnUL4JrN2armr0ZUDCxfnqdsgYznwQFSixVk6mkPzL', 'z7Htu8z2E3jX6MUgCR6BbVjw2bM4dyVI9ak8PQclYUCDzDu8djVw7P7iSXZJHfUE9lO0OeuwYaML9Gj0JV1e3DDC5DbD', 'dvALSphKd8LdHbaXin6qbEhqpORwTsrkpJ6fovuUXPp2AbNSBD7BRbm7bIyCtpORtSGnD9e2BJDquGHdTx2ODPOeizVu', 'L0K2CN12pdjPf924idUEA5xeup8i2HPgZ3hBgMAPZCrw1qjkMk9AsuUD0F3iTseAqEFAF5upgZDXO4i72oWcA805HmmE', 'rU2AG5th59Fb7E9OZMr0FHTp2ECAfhy3UJI1q7K8NBkBAmothVeaK1puiEO2Dj6amyvFDm7sSB7uMAba7m8SDOLYUQs3', 'AwHXNOrsSWKO9ENisqKTOyxRYhUZ8nYJWi9Rz6ozmhGjEx1HEoFJjQVKCrLZkc1pZHewWWesF8SuTAmWGaabKo8zmXYV', 'SJry6YPU5zZN7CDG9yDQ8VKcHJvKvjVVZxS3x4OhNa4aYnvwMjQqo4QMe2flsmKvXp6B8IflWehOFEebfMKyxiqohBYT'
Source: svchost.exe.0.dr, pxtEtrZjCmY2xgTvKt0E3Wv3ytzkEjOAFr.cs	High entropy of concatenated method names: 'Uhznn11mf6B0rRRYiTsSudEI85opxeON3V', 'jrdcgsri4CHBg6yraaoEcuLv4pse9OQd8P', 'pONd1qDfZpQzwkM9DshCvaDQ2SyZetQzxw', 'LN67S4aP909G2NZWx9wYMEfixD1xr06HTc', 'akoV1HslHfgbmaQaVcEmEueCwZ4P1v0bBl', 'ThShI1Qk4nypZOLt7B2Sym28MgPcoNpCfn', '_4MnPrgMTp3szGoClp4QwJfuHZWEpOtVeF5', 'DKO0hhqMATBoqoEV9qRtkiTQ5CDXaY7iwJ', '_0g1uxrjbqAaAskK8NMHAalLca0juxaKKOK', 'GklncdwpNglacw2anC7h3wmGIbHwXqOq1I'
Source: svchost.exe.0.dr, pho3rSOmHqcbUnlzXgy8Bagz4JE3YuNdti.cs	High entropy of concatenated method names: '_0icrunfexnMxtINK7LezMekONnryqXUocz', 'OB25gU0MW5oT87UEd6FXBmUsJlWZYVFMb4tIJ8lfXq8XoixMFIdWrUU3jdg8ADkBxQ', 'nn1FcqgizBCETFZInEquMNRhxp4mTiuHw0HxUNi3sqKR1oLtnbBHtuZKpzYwGcQeaZ', 'WDWyf7ocNJxOauFHmxSe8x1GT9dKVN0dOdA2KZg00YEX0s1NPMWsyg39pBRKNCHhkk', 'PGK2GzYVqSvO5APWHdhb4Za8EJ7ghvm5ywnKRRqbxhNcpMkRs7SFUYaBmnqxe0pMKh'
Source: svchost.exe.0.dr, MtvKIjJV4EBaEvHD8rGhwbnf7R7wcR7zxg.cs	High entropy of concatenated method names: 'HDwog3vtkOIDxgZNUCFu8rQUJMTlrXbM1Q', 'KuPE3Iuyxr1nlP381V8cH6e5G621iDeSdgHrh5rFC8ashlCvEukUiPzbnjr1oUWAij', 'PJBPo57VNwCjjajYAARf0C0FjBRW2U3i5U4Z6DpZNocDecM2BcGwXI8KgaHnyB42nv', 'qFM3lHeZ0bApEMBegX6qWPCPcrkm0WBjNTAgQzugiZyUX1QtqCPqPjZJfORqHUHapz', 'XymJZkmtVxAiG2EyR18EN2dh4R8ytc6RIOAr9LR0sHgrjvC0qFH7Vq8iMejAcHClKC'
Source: svchost.exe.0.dr, 8MyZ0VKDRsvCYuSMWMje1VOY4Yodx0mEmcCuwdf0d5IIenIlnwtKU8Cjtgi26pQNhG6X4f1X4GnovSJMgUGK3GrZYND4.cs	High entropy of concatenated method names: 'oszdFmqhQQRBmLmKMJfCh9xJdluKkajSsc9uvkwAWNM8EA6Ss8NXxbxdPvCtMt2R6FI3zD1vk49qANODuEFdbqhncvTS', 'Q6vwQVyaLPr17iFFUGDE9GOiw2pmMN7qlIgDUrs60LJ2dp9AQWdtoi9GRctOpRnfAB6ZuOWwisfnweJ7SeBPYrebDxXo', 'AAU8KvF5gTWN2XxQqvyYYXAIpPl1XrX7JaDYVQDW51H7IVdj7mMNekudtvIBlj87YDSW9ddl1uBMfWQzC69wom91MIYA', 'hPNIcK9XI9hmicPhRnl22atq5dzRC6ENsX', 'w6qbrGs4SEQV7tSZXlx6yKcZnQaTfZN4U3', 'sTXNrOXsuzmUyuStLc9vvITHwrETZiSQ12', 'V3zF0OxkUO2Z4ZoxVugpRZQTL7ECzCBCbL', '_6LpD3k1wr1z8AFRmgyOX6BwTPgtjnopZhK', 'fJPyYpkpsdwJ9DJZjbk6L4fqSRVMY3HRxy', 'rlph7BuQ8hQh4e4VTFVH7HVEtO8J91yqGy'

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\Desktop\r8gcHFIf3x.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to dropped file

Source: C:\Users\user\Desktop\r8gcHFIf3x.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to dropped file

Source: C:\Users\user\Desktop\r8gcHFIf3x.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Jump to behavior

Source: C:\Users\user\Desktop\r8gcHFIf3x.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Jump to behavior

Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost			Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost			Jump to behavior

Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Memory allocated: 3060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Memory allocated: 1B240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 1A9A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: FA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 1ABA0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\r8gcHFIf3x.exe

Window / User API: threadDelayed 9792

Jump to behavior

Source: C:\Users\user\Desktop\r8gcHFIf3x.exe TID: 2852	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe TID: 4960	Thread sleep count: 9792 > 30	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe TID: 4960	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2992	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 5808	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: r8gcHFIf3x.exe, 00000000.00000002.4128074677.000000001C2B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWhttp%SystemRoot%\system32\mswsock.dllion=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
Source: r8gcHFIf3x.exe, svchost.exe.0.dr	Binary or memory string: PING!EDPOCvwDlFo9LeZSmZkqW33fkZ0TKzYbd8oEibUhsP4iJTJsvlvHNHNWYGbIgbD0zssOGKEGgg9vlNjO1uU95alsWjj1jjINZFm4FD5P8Ezwf10UtGARbmZtq7XRppJOFSXVWFmZpStjEBPEqaGdlAx2O8Hv54NOTP5uCKlN8yhEtWYED0pB5lC0QMBG6nzH6NaPSOCbn7col8ynsWEYgadbB7k3vEsC7N6xHwmlnxy55KLyqfBKfEBBpvF5aIeArdcWsGH7SH2sxKb2Hq0yIN1hERvgAZRnWZvPziTvHC600Tc5ubMV66Hbv7MEBt1VirUF83Q2dOYXAR6H2FjKaQzMrfJpRRE5GyF7Dlscvjaq1L0ZSSpn7qVvGOLhQcOPxELK0JtX9AW7RZtfwXH1chWtkDlGwHjyhwQBEPcj7PIytCg34OTmW0bwanwtrXlLjgzvXqmEIyW8KgQhtosAXe9kpfiFmEvtgeVMinNX7QEmUORjK0zgaDzXq6nl8rNbfBwsybZHmV0kJEtZyUAE9BlBnd2kWDDGqPOKZnq07kzk5wDVE2XNB8NXmCmOnWcFz6aq6rrU8eJ79Co9HKXEQZQeeS9DhXIZJD8GcwnFUlOURaLYi8U1FTEP2QxqF0XU5vkI9J3piAEpXrBjjRBbenoLIEbEUvXWDC9dPFOWCCoElGgafaBvqK8qwFtNEh2fMWtZoxjylJYxKQXPYpp33KdKajyRTuvpong

Source: C:\Users\user\Desktop\r8gcHFIf3x.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\r8gcHFIf3x.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: r8gcHFIf3x.exe, 00000000.00000002.4126190732.0000000003444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: r8gcHFIf3x.exe, 00000000.00000002.4126190732.0000000003444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: r8gcHFIf3x.exe, 00000000.00000002.4126190732.0000000003444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: r8gcHFIf3x.exe, 00000000.00000002.4126190732.0000000003444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2y
Source: r8gcHFIf3x.exe, 00000000.00000002.4126190732.0000000003444000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@

Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Queries volume information: C:\Users\user\Desktop\r8gcHFIf3x.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\r8gcHFIf3x.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: r8gcHFIf3x.exe, 00000000.00000002.4128074677.000000001C2B0000.00000004.00000020.00020000.00000000.sdmp, r8gcHFIf3x.exe, 00000000.00000002.4125313343.00000000013E3000.00000004.00000020.00020000.00000000.sdmp, r8gcHFIf3x.exe, 00000000.00000002.4125313343.000000000132C000.00000004.00000020.00020000.00000000.sdmp, r8gcHFIf3x.exe, 00000000.00000002.4128074677.000000001C2DF000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\r8gcHFIf3x.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: r8gcHFIf3x.exe, type: SAMPLE
Source: Yara match	File source: 0.0.r8gcHFIf3x.exe.f20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4127638829.0000000013251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1662726920.0000000000F22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: r8gcHFIf3x.exe PID: 6200, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: r8gcHFIf3x.exe, type: SAMPLE
Source: Yara match	File source: 0.0.r8gcHFIf3x.exe.f20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4127638829.0000000013251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1662726920.0000000000F22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: r8gcHFIf3x.exe PID: 6200, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	21 Registry Run Keys / Startup Folder	2 Process Injection	11 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	21 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
r8gcHFIf3x.exe	82%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
r8gcHFIf3x.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\svchost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\svchost.exe	82%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
23.ip.gl.ply.gg	147.185.221.23	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
23.ip.gl.ply.gg	true		unknown
127.0.0.1	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	r8gcHFIf3x.exe, 00000000.00000002.4126190732.0000000003241000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.23	23.ip.gl.ply.gg	United States		12087	SALSGIVERUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546359
Start date and time:	2024-10-31 20:08:03 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	r8gcHFIf3x.exe renamed because original name is a hash value
Original Sample Name:	0515dceafb2ac3a01d779111aabc07e0876b573b67df42af4e183243e7c506ff.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/3@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 61 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target r8gcHFIf3x.exe, PID 6200 because it is empty
Execution Graph export aborted for target svchost.exe, PID 5040 because it is empty
Execution Graph export aborted for target svchost.exe, PID 5956 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: r8gcHFIf3x.exe

Simulations

Behavior and APIs

Time	Type	Description
15:08:58	API Interceptor	13949382x Sleep call for process: r8gcHFIf3x.exe modified
19:09:00	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\AppData\Roaming\svchost.exe
19:09:08	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\AppData\Roaming\svchost.exe
19:09:16	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.185.221.23	0eVxwphG1t.exe	Get hash	malicious	XWorm	Browse
	9RgE5uOJwX.exe	Get hash	malicious	XWorm	Browse
	rustdesk.exe	Get hash	malicious	XWorm	Browse
	q0SpP6HxtE.exe	Get hash	malicious	XWorm	Browse
	mkDhqaw9dx.exe	Get hash	malicious	XWorm	Browse
	R7iHtCsOYz.exe	Get hash	malicious	XWorm	Browse
	Zvas34nq1T.exe	Get hash	malicious	XWorm	Browse
	fMdcaIZWzT.exe	Get hash	malicious	XWorm	Browse
	vtuLkV5KEW.exe	Get hash	malicious	XWorm	Browse
	IGznKtHyTp.exe	Get hash	malicious	XWorm	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
23.ip.gl.ply.gg	q0SpP6HxtE.exe	Get hash	malicious	XWorm	Browse	147.185.221.23

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	0eVxwphG1t.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	9RgE5uOJwX.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	147.176.169.71
	rustdesk.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	Nurcraft.exe	Get hash	malicious	XWorm	Browse	147.185.221.21
	q0SpP6HxtE.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	7bZWBYVNPU.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	mkDhqaw9dx.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	R7iHtCsOYz.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	Zvas34nq1T.exe	Get hash	malicious	XWorm	Browse	147.185.221.23

Process:	C:\Users\user\AppData\Roaming\svchost.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Download File

Process:	C:\Users\user\Desktop\r8gcHFIf3x.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Oct 31 18:08:58 2024, mtime=Thu Oct 31 18:08:58 2024, atime=Thu Oct 31 18:08:58 2024, length=334336, window=hide
Category:	dropped
Size (bytes):	764
Entropy (8bit):	5.04266228406803
Encrypted:	false
SSDEEP:	12:8Btyt0124WIhWCJgdY//DIIJLyt5kBWjAsMrHknkvIBmV:8BtytmBgcg+UeI3AsMIn3Bm
MD5:	FAB1611280C86CABC2FCE8C967C98C0C
SHA1:	742A2AA13A65B5847D836058F03506AC2661DD42
SHA-256:	9895796AB9CBA905759D1C5B40A891E54C23512ABF25C85CFF6144D09B338E65
SHA-512:	22119BF3F3A5B5D95D53F479DDEFE79E7F079D4DE541891EA00D4B2DCC9D20323370514A0F99B170F17B10FA610E81EB41CEC40818F81B7A642232586D5548F0
Malicious:	false
Reputation:	low
Preview:	L..................F.... .....dV.+....dV.+....dV.+..........................v.:..DG..Yr?.D..U..k0.&...&......vk.v....o:,P.+..\|.\|V.+......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^_Y.............................%..A.p.p.D.a.t.a...B.V.1....._Y....Roaming.@......CW.^_Y.............................~4.R.o.a.m.i.n.g.....b.2....._Y . .svchost.exe.H......_Y ._Y .............................*.s.v.c.h.o.s.t...e.x.e.......Y...............-.......X............wS.....C:\Users\user\AppData\Roaming\svchost.exe........\.....\.....\.....\.....\.s.v.c.h.o.s.t...e.x.e.`.......X.......965543...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\svchost.exe

Download File

Process:	C:\Users\user\Desktop\r8gcHFIf3x.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	334336
Entropy (8bit):	5.468570783071018
Encrypted:	false
SSDEEP:	3072:iL30wxqS8+kb5g8InQO6J2l4mJe7UmuLchHPHo4bqRH33qGCNxxO7:40Klmbc/l4miUdLchvo4OlnqR
MD5:	71E459322FC143C6F54FA4075BBEA27F
SHA1:	91926031AE3212E02AC61236D89FC5E7CDB82655
SHA-256:	0515DCEAFB2AC3A01D779111AABC07E0876B573B67DF42AF4E183243E7C506FF
SHA-512:	D9CC7475086BA0E9818A49A2CD45D93D6E310A1C22D0C274A409B4124DE982B5722AE5627AAB49C8B47FF81D5B352E456CA8E7CE18A3E07D225F491E74963B9D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."g.....................(......^.... ... ....@.. ....................................@.....................................S.... ...%...................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc....%... ...&..................@..@.reloc.......`......................@..B................@.......H........U..@.......&.....................................................(.....r...p. 3D....(.....rG..p. ....s.........s.........s.........s..........r...p. E/...r...p. .x!..r...p. @g..r_..p. ~.H..r...p. 0fk...((....r...p. .K...r...p. ....&(....&+..+5sK... .... .'..oL...(...~....-.(A...(3...~....oM...&.-..r9..p. .~Z..r...p. .Y...r...p. .=l..r...p. >k................j..................sN.............."(C...+.:.t....(>...+..rW..p. ..e..r

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.468570783071018
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	r8gcHFIf3x.exe
File size:	334'336 bytes
MD5:	71e459322fc143c6f54fa4075bbea27f
SHA1:	91926031ae3212e02ac61236d89fc5e7cdb82655
SHA256:	0515dceafb2ac3a01d779111aabc07e0876b573b67df42af4e183243e7c506ff
SHA512:	d9cc7475086ba0e9818a49a2cd45d93d6e310a1c22d0c274a409b4124de982b5722ae5627aab49c8b47ff81d5b352e456ca8e7ce18a3e07d225f491e74963b9d
SSDEEP:	3072:iL30wxqS8+kb5g8InQO6J2l4mJe7UmuLchHPHo4bqRH33qGCNxxO7:40Klmbc/l4miUdLchvo4OlnqR
TLSH:	86640A259FC6CA9FF12ED47F55FACD65A29FC058070F11C2EE7EC0EAA3AC9685506042
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."g.....................(......^.... ... ....@.. ....................................@................................

File Icon


Icon Hash:	cd993679681c94b4

Static PE Info

General

Entrypoint:	0x410e5e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6722ADAB [Wed Oct 30 22:05:31 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10e08	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0x4259a	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x56000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xee64	0xf000	84fc00b3a720d04b915d2bd2bee255d2	False	0.6155598958333334	data	6.086380143863344	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0x4259a	0x42600	75b7728e8d1f4b6a302d31ef030e5689	False	0.2890514653954802	data	4.891853939530098	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x56000	0xc	0x200	873b96edd7bdd1f264f95bd5bca6abbd	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x12130	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144, resolution 39 x 39 px/m	0.28785838979791106
RT_GROUP_ICON	0x54158	0x14	data	0.9
RT_VERSION	0x5416c	0x244	data	0.46551724137931033
RT_MANIFEST	0x543b0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-31T20:09:14.606055+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.4	49735	TCP
2024-10-31T20:09:53.611751+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.4	49746	TCP
2024-10-31T20:10:16.058842+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	49845	147.185.221.23	40630	TCP
2024-10-31T20:11:41.609504+0100	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	50029	147.185.221.23	40630	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 20:09:20.812035084 CET	49742	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:09:20.817267895 CET	40630	49742	147.185.221.23	192.168.2.4
Oct 31, 2024 20:09:20.817344904 CET	49742	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:09:20.974544048 CET	49742	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:09:20.979463100 CET	40630	49742	147.185.221.23	192.168.2.4
Oct 31, 2024 20:09:29.299638987 CET	40630	49742	147.185.221.23	192.168.2.4
Oct 31, 2024 20:09:29.299823046 CET	49742	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:09:31.373955011 CET	49742	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:09:31.376508951 CET	49743	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:09:31.378916025 CET	40630	49742	147.185.221.23	192.168.2.4
Oct 31, 2024 20:09:31.381324053 CET	40630	49743	147.185.221.23	192.168.2.4
Oct 31, 2024 20:09:31.381422997 CET	49743	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:09:31.397110939 CET	49743	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:09:31.402127028 CET	40630	49743	147.185.221.23	192.168.2.4
Oct 31, 2024 20:09:39.865417957 CET	40630	49743	147.185.221.23	192.168.2.4
Oct 31, 2024 20:09:39.865500927 CET	49743	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:09:39.999049902 CET	49743	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:09:40.003938913 CET	40630	49743	147.185.221.23	192.168.2.4
Oct 31, 2024 20:09:46.656912088 CET	49745	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:09:46.661839962 CET	40630	49745	147.185.221.23	192.168.2.4
Oct 31, 2024 20:09:46.662941933 CET	49745	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:09:46.704507113 CET	49745	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:09:46.710458994 CET	40630	49745	147.185.221.23	192.168.2.4
Oct 31, 2024 20:09:55.152455091 CET	40630	49745	147.185.221.23	192.168.2.4
Oct 31, 2024 20:09:55.152529001 CET	49745	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:09:55.155241966 CET	49745	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:09:55.156505108 CET	49753	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:09:55.160034895 CET	40630	49745	147.185.221.23	192.168.2.4
Oct 31, 2024 20:09:55.161392927 CET	40630	49753	147.185.221.23	192.168.2.4
Oct 31, 2024 20:09:55.161461115 CET	49753	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:09:55.178412914 CET	49753	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:09:55.183239937 CET	40630	49753	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:03.651067972 CET	40630	49753	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:03.651129961 CET	49753	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:03.655235052 CET	49753	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:03.656228065 CET	49804	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:03.662288904 CET	40630	49753	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:03.663878918 CET	40630	49804	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:03.663947105 CET	49804	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:03.678818941 CET	49804	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:03.685720921 CET	40630	49804	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:12.140625000 CET	40630	49804	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:12.140698910 CET	49804	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:12.202150106 CET	49804	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:12.204421043 CET	49845	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:12.207037926 CET	40630	49804	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:12.209384918 CET	40630	49845	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:12.209496021 CET	49845	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:12.316029072 CET	49845	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:12.321363926 CET	40630	49845	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:16.058841944 CET	49845	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:16.063662052 CET	40630	49845	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:17.186764956 CET	49845	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:17.191740990 CET	40630	49845	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:20.692296028 CET	40630	49845	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:20.692353964 CET	49845	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:21.545836926 CET	49845	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:21.551963091 CET	40630	49845	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:23.584721088 CET	49908	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:23.590106964 CET	40630	49908	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:23.590181112 CET	49908	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:23.628124952 CET	49908	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:23.632960081 CET	40630	49908	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:29.092986107 CET	49908	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:29.097940922 CET	40630	49908	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:32.065408945 CET	40630	49908	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:32.069139957 CET	49908	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:34.108474016 CET	49908	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:34.113779068 CET	49968	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:34.113811970 CET	40630	49908	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:34.119276047 CET	40630	49968	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:34.119436026 CET	49968	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:34.223140955 CET	49968	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:34.228159904 CET	40630	49968	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:35.001401901 CET	49968	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:35.006323099 CET	40630	49968	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:38.421153069 CET	49968	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:38.426414967 CET	40630	49968	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:38.703212023 CET	49968	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:38.708120108 CET	40630	49968	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:42.602905989 CET	40630	49968	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:42.603048086 CET	49968	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:44.608452082 CET	49968	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:44.613554955 CET	40630	49968	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:48.847229004 CET	50020	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:48.852303028 CET	40630	50020	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:48.852364063 CET	50020	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:48.906423092 CET	50020	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:48.911463976 CET	40630	50020	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:48.936861992 CET	50020	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:48.941827059 CET	40630	50020	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:48.999392033 CET	50020	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:49.004215002 CET	40630	50020	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:49.014899015 CET	50020	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:49.019809008 CET	40630	50020	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:49.030563116 CET	50020	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:49.035480022 CET	40630	50020	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:49.046039104 CET	50020	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:49.050849915 CET	40630	50020	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:49.093240023 CET	50020	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:49.098217010 CET	40630	50020	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:57.342272043 CET	40630	50020	147.185.221.23	192.168.2.4
Oct 31, 2024 20:10:57.342345953 CET	50020	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:59.108513117 CET	50020	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:10:59.113604069 CET	40630	50020	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:03.250950098 CET	50023	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:03.256208897 CET	40630	50023	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:03.256284952 CET	50023	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:03.324877977 CET	50023	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:03.329720020 CET	40630	50023	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:08.421389103 CET	50023	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:08.426434994 CET	40630	50023	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:11.733711004 CET	40630	50023	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:11.733815908 CET	50023	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:13.467952013 CET	50023	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:13.469727039 CET	50024	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:13.473187923 CET	40630	50023	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:13.474730015 CET	40630	50024	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:13.474813938 CET	50024	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:13.511740923 CET	50024	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:13.516737938 CET	40630	50024	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:13.546802998 CET	50024	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:13.551907063 CET	40630	50024	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:13.608668089 CET	50024	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:13.613584042 CET	40630	50024	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:13.624403000 CET	50024	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:13.629245996 CET	40630	50024	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:18.749284983 CET	50024	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:18.754285097 CET	40630	50024	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:18.796207905 CET	50024	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:18.801054955 CET	40630	50024	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:18.921215057 CET	50024	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:18.926080942 CET	40630	50024	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:18.952614069 CET	50024	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:18.957479954 CET	40630	50024	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:18.983603001 CET	50024	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:18.988497972 CET	40630	50024	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:18.999458075 CET	50024	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:19.004353046 CET	40630	50024	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:19.014823914 CET	50024	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:19.019660950 CET	40630	50024	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:20.733860016 CET	50024	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:20.738795996 CET	40630	50024	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:21.546276093 CET	50024	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:21.551712036 CET	40630	50024	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:21.949496031 CET	40630	50024	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:21.949677944 CET	50024	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:24.062042952 CET	50024	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:24.067030907 CET	40630	50024	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:30.689152956 CET	50028	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:30.694529057 CET	40630	50028	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:30.697568893 CET	50028	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:30.806272984 CET	50028	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:30.811815023 CET	40630	50028	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:30.827538013 CET	50028	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:30.834248066 CET	40630	50028	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:30.874742985 CET	50028	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:30.880449057 CET	40630	50028	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:30.952497959 CET	50028	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:30.957390070 CET	40630	50028	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:39.206111908 CET	40630	50028	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:39.206171036 CET	50028	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:41.514952898 CET	50028	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:41.518935919 CET	50029	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:41.519795895 CET	40630	50028	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:41.523755074 CET	40630	50029	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:41.523849010 CET	50029	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:41.586394072 CET	50029	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:41.591276884 CET	40630	50029	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:41.609503984 CET	50029	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:41.614438057 CET	40630	50029	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:41.671348095 CET	50029	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:41.676316977 CET	40630	50029	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:41.781066895 CET	50029	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:41.786106110 CET	40630	50029	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:43.702733040 CET	50029	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:43.708072901 CET	40630	50029	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:46.999607086 CET	50029	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:47.004662991 CET	40630	50029	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:47.093086958 CET	50029	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:47.098169088 CET	40630	50029	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:50.049725056 CET	40630	50029	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:50.049829960 CET	50029	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:52.127079010 CET	50029	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:52.132544041 CET	40630	50029	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:54.223133087 CET	50031	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:54.228771925 CET	40630	50031	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:54.228889942 CET	50031	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:54.297141075 CET	50031	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:54.302455902 CET	40630	50031	147.185.221.23	192.168.2.4
Oct 31, 2024 20:11:59.530647039 CET	50031	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:11:59.535973072 CET	40630	50031	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:02.719400883 CET	40630	50031	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:02.723174095 CET	50031	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:04.577461958 CET	50031	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:04.581967115 CET	50032	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:04.582273006 CET	40630	50031	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:04.586909056 CET	40630	50032	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:04.586987972 CET	50032	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:04.682516098 CET	50032	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:04.983494043 CET	50032	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:05.592871904 CET	50032	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:05.995927095 CET	40630	50032	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:05.995949030 CET	40630	50032	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:05.996006012 CET	40630	50032	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:10.499439001 CET	50032	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:10.504565954 CET	40630	50032	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:10.952708960 CET	50032	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:10.957616091 CET	40630	50032	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:13.062706947 CET	40630	50032	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:13.062783957 CET	50032	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:14.796205044 CET	50032	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:14.801120996 CET	50033	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:14.801405907 CET	40630	50032	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:14.805974007 CET	40630	50033	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:14.806057930 CET	50033	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:14.919014931 CET	50033	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:14.923933983 CET	40630	50033	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:14.984932899 CET	50033	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:14.989871025 CET	40630	50033	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:16.469250917 CET	50033	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:16.845118999 CET	50033	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:17.084062099 CET	40630	50033	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:17.084074020 CET	40630	50033	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:18.812007904 CET	50033	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:18.817104101 CET	40630	50033	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:20.641144991 CET	50033	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:20.646327972 CET	40630	50033	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:23.289144993 CET	40630	50033	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:23.289202929 CET	50033	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:25.780546904 CET	50033	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:25.785481930 CET	40630	50033	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:29.939136028 CET	50036	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:29.944129944 CET	40630	50036	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:29.947223902 CET	50036	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:29.999150038 CET	50036	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:30.004066944 CET	40630	50036	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:35.046519995 CET	50036	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:35.051655054 CET	40630	50036	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:35.108997107 CET	50036	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:35.114003897 CET	40630	50036	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:35.140369892 CET	50036	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:35.145277023 CET	40630	50036	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:35.159334898 CET	50036	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:35.164185047 CET	40630	50036	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:38.450251102 CET	40630	50036	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:38.451270103 CET	50036	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:40.159140110 CET	50036	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:40.164375067 CET	40630	50036	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:42.207169056 CET	50038	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:42.212512016 CET	40630	50038	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:42.212654114 CET	50038	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:42.367141962 CET	50038	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:42.372060061 CET	40630	50038	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:47.062213898 CET	50038	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:47.068912983 CET	40630	50038	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:47.905793905 CET	50038	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:47.912379026 CET	40630	50038	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:50.708154917 CET	40630	50038	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:50.715157986 CET	50038	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:52.936867952 CET	50038	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:52.940125942 CET	50039	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:52.941787004 CET	40630	50038	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:52.945252895 CET	40630	50039	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:52.945321083 CET	50039	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:52.987675905 CET	50039	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:52.992913008 CET	40630	50039	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:54.531158924 CET	50039	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:54.536081076 CET	40630	50039	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:56.143147945 CET	50039	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:56.148241997 CET	40630	50039	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:57.374414921 CET	50039	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:57.379839897 CET	40630	50039	147.185.221.23	192.168.2.4
Oct 31, 2024 20:12:58.343554974 CET	50039	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:12:58.349087954 CET	40630	50039	147.185.221.23	192.168.2.4
Oct 31, 2024 20:13:00.640079975 CET	50039	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:13:00.645370007 CET	40630	50039	147.185.221.23	192.168.2.4
Oct 31, 2024 20:13:01.296684027 CET	50039	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:13:01.302638054 CET	40630	50039	147.185.221.23	192.168.2.4
Oct 31, 2024 20:13:01.454267979 CET	40630	50039	147.185.221.23	192.168.2.4
Oct 31, 2024 20:13:01.454333067 CET	50039	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:13:06.298197985 CET	50039	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:13:06.303105116 CET	40630	50039	147.185.221.23	192.168.2.4
Oct 31, 2024 20:13:34.062963009 CET	50043	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:13:34.067956924 CET	40630	50043	147.185.221.23	192.168.2.4
Oct 31, 2024 20:13:34.068048000 CET	50043	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:13:34.096518040 CET	50043	40630	192.168.2.4	147.185.221.23
Oct 31, 2024 20:13:34.101350069 CET	40630	50043	147.185.221.23	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 20:09:20.801162004 CET	49348	53	192.168.2.4	1.1.1.1
Oct 31, 2024 20:09:20.808552980 CET	53	49348	1.1.1.1	192.168.2.4
Oct 31, 2024 20:11:54.189013004 CET	51824	53	192.168.2.4	1.1.1.1
Oct 31, 2024 20:11:54.222099066 CET	53	51824	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 31, 2024 20:09:20.801162004 CET	192.168.2.4	1.1.1.1	0x9739	Standard query (0)	23.ip.gl.ply.gg	A (IP address)	IN (0x0001)	false
Oct 31, 2024 20:11:54.189013004 CET	192.168.2.4	1.1.1.1	0x6be1	Standard query (0)	23.ip.gl.ply.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 31, 2024 20:09:20.808552980 CET	1.1.1.1	192.168.2.4	0x9739	No error (0)	23.ip.gl.ply.gg		147.185.221.23	A (IP address)	IN (0x0001)	false
Oct 31, 2024 20:11:54.222099066 CET	1.1.1.1	192.168.2.4	0x6be1	No error (0)	23.ip.gl.ply.gg		147.185.221.23	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	15:08:53
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\r8gcHFIf3x.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\r8gcHFIf3x.exe"
Imagebase:	0xf20000
File size:	334'336 bytes
MD5 hash:	71E459322FC143C6F54FA4075BBEA27F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.4127638829.0000000013251000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.4127638829.0000000013251000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1662726920.0000000000F22000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1662726920.0000000000F22000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	15:09:08
Start date:	31/10/2024
Path:	C:\Users\user\AppData\Roaming\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\svchost.exe"
Imagebase:	0x560000
File size:	334'336 bytes
MD5 hash:	71E459322FC143C6F54FA4075BBEA27F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 82%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:09:16
Start date:	31/10/2024
Path:	C:\Users\user\AppData\Roaming\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\svchost.exe"
Imagebase:	0x730000
File size:	334'336 bytes
MD5 hash:	71E459322FC143C6F54FA4075BBEA27F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Function 00007FFD9B891289 Relevance: 1.9, Strings: 1, Instructions: 630COMMON

Download Yara Rule

Strings

SAN_^, xrefs: 00007FFD9B8914E1

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID: SAN_^
API String ID: 0-3629432999
Opcode ID: 2d67dbdea5ec8e1b89c251288e4db3da0bd1b4b945d1a278b04a8fc0cc29f506
Instruction ID: 4ed49debd3419cce0dc0c8d9f86092f22e7d387207af47754978bc0a668e7e93
Opcode Fuzzy Hash: 2d67dbdea5ec8e1b89c251288e4db3da0bd1b4b945d1a278b04a8fc0cc29f506
Instruction Fuzzy Hash: AB12E721B2DA494FEB98FB7C88696B977D2FF9C304F404579E05EC32D6DE28A8418741

Function 00007FFD9B8972B6 Relevance: .5, Instructions: 502COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8647e503fe157b55f64b012e6ad3b03109ef1d08b515b42fa01f9ce99beb5955
Instruction ID: 152a27de860611d3fa93ede96559ee8521a1a2e57f040c7999e382540c41daf4
Opcode Fuzzy Hash: 8647e503fe157b55f64b012e6ad3b03109ef1d08b515b42fa01f9ce99beb5955
Instruction Fuzzy Hash: 42F1B430A0DA8D8FEFA8DF68D8557E93BD1FF58310F04426AE84DC7295DB3499418B82

Function 00007FFD9B898062 Relevance: .5, Instructions: 483COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07f7c29f0ea5c466abe0f8c896c3fd9529862f39c095baac09ceedb82798511d
Instruction ID: 32cc4f4ac5643dc2c8a5f0f30ede8026b8f0e703874db577c1eb7bd463532161
Opcode Fuzzy Hash: 07f7c29f0ea5c466abe0f8c896c3fd9529862f39c095baac09ceedb82798511d
Instruction Fuzzy Hash: DBF1C330A0DA4E4FEFA8DF68C8657E93BD1FF58350F04426ED84DC72A5DA74A9418B81

Function 00007FFD9B8989FD Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B898A73

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 5ec23a1e2ea6f5ff1282ee18c3813ba520bf0695ff472a3ab22d9296500d586f
Instruction ID: ab7d6e2316c3872f7cde75a87af392c1418cd40a24833fbadaa28beefcdb83c4
Opcode Fuzzy Hash: 5ec23a1e2ea6f5ff1282ee18c3813ba520bf0695ff472a3ab22d9296500d586f
Instruction Fuzzy Hash: 3A213431D0D29A4FEF149BA488146F9BFF0EF49350F0602BAD489D31A2CA2C5A468792

Function 00007FFD9B892211 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

SAN_^, xrefs: 00007FFD9B892256

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID: SAN_^
API String ID: 0-3629432999
Opcode ID: 1fea9acfefb992e21d7af939e7a552cb5eba368ef9c1e6ca747f11e957551481
Instruction ID: e840eb0c020fce7150742661ed98371e81d6e5ecbca5ae2d20c7b00bffb11e66
Opcode Fuzzy Hash: 1fea9acfefb992e21d7af939e7a552cb5eba368ef9c1e6ca747f11e957551481
Instruction Fuzzy Hash: 3C113D21F0E69F4BEB3EABF848315686F61AF56650F4542B9C048CB1D7DE1CA5128352

Function 00007FFD9B892278 Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

SAN_^, xrefs: 00007FFD9B892256

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID: SAN_^
API String ID: 0-3629432999
Opcode ID: 80d6d1515b9d61b27db0f6922f7502306ee2570e777093e30f7a43b5aff324af
Instruction ID: e775468ccfd5f53b42c1237ddbf41381efc31887b60bce17da3bf7d6691f6291
Opcode Fuzzy Hash: 80d6d1515b9d61b27db0f6922f7502306ee2570e777093e30f7a43b5aff324af
Instruction Fuzzy Hash: ACF0F430E0D50B8BE738DFE8C4626B9BBA1BF9D320F814678D409871E6DF2876528241

Function 00007FFD9B899005 Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672ffad7c6c0f97f81331c518d509a2988c3fb6222fe56564473af2b25e01eec
Instruction ID: ef59211f27cd58d50c12922af172705a2f6203014466c3a0e4288bcad0c9b259
Opcode Fuzzy Hash: 672ffad7c6c0f97f81331c518d509a2988c3fb6222fe56564473af2b25e01eec
Instruction Fuzzy Hash: 72D10730F1E94E4FEB59EB6888696B87BE1FF49314F0145B5E01DC32E6DE2CA9428741

Function 00007FFD9B892CF2 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b34903e37e30cbcbf5967b0895dbc606f6644c47751e3f26faf999b9a3f8084
Instruction ID: 8af489365cf2d39307ee6a5786da8d1d37970d4e33017a2036289893f6cb4bdb
Opcode Fuzzy Hash: 4b34903e37e30cbcbf5967b0895dbc606f6644c47751e3f26faf999b9a3f8084
Instruction Fuzzy Hash: A7C18E22B0DA8D0FEB6DAB6C58746B87FD1EF89344F1501BAD09EC71D7DD2858068341

Function 00007FFD9B897C76 Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4addfa617861875b4ff226f785b036ab41f5b9e41b6a9688ea524f0ea69cf294
Instruction ID: ea30af90f35c3b290653c86aa8689cc0e9ecf9da2f2a2d9ebda10871c5f428b3
Opcode Fuzzy Hash: 4addfa617861875b4ff226f785b036ab41f5b9e41b6a9688ea524f0ea69cf294
Instruction Fuzzy Hash: 74C1D43060DA4D4FEF68DF28D8557F93BE1EF59310F10426AE84DC72A6CB34A9458B82

Function 00007FFD9B890F58 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3eddb183e97ace38fa0e07af7711e28e4335aa2865433e2ec88b3535a60230c
Instruction ID: cc38a62357b148a4d9add0984511cea3c6ee996964523f06ee242ff9faa6a9e2
Opcode Fuzzy Hash: d3eddb183e97ace38fa0e07af7711e28e4335aa2865433e2ec88b3535a60230c
Instruction Fuzzy Hash: 1AA12521B1990E4FEBACEB6C44756BD7AD2EF9C350F5401B9E05EC32DADE2868428341

Function 00007FFD9B890F60 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc18f3dead1a15d022182e7ec86018dab891dac4b93fd54d9ea9dec4ca0034b7
Instruction ID: 1ebf294068aa47e26f555ba26784d5886cd1e003d90fc900a3a576d55c14fc63
Opcode Fuzzy Hash: bc18f3dead1a15d022182e7ec86018dab891dac4b93fd54d9ea9dec4ca0034b7
Instruction Fuzzy Hash: 1B815860718D09CBEB4CB7AC9869BB9B2D2FF98704F604176E01DC36DADD2CAD424752

Function 00007FFD9B8905D0 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1af5bca34162e2102700d57031d8806086316f58d3f5616b0a7ec40031ec039
Instruction ID: c2adb6dfb2d607ffd3b7e46ce6bd8959fb6fcf32b6574310d805ad41e7abe166
Opcode Fuzzy Hash: b1af5bca34162e2102700d57031d8806086316f58d3f5616b0a7ec40031ec039
Instruction Fuzzy Hash: 2E614A31A0D64D8FDB19EBA8C825AB97FF0EF56321F1441BED049C71E2DB286806C751

Function 00007FFD9B898AE9 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dda9eb8a65b583f91ff876251011c81590f6f0305d01db9e0e1360134bce256d
Instruction ID: 04d42c90106dd9fd59e4038f23558c469b54ae72a4575a26b7781ce15f766b82
Opcode Fuzzy Hash: dda9eb8a65b583f91ff876251011c81590f6f0305d01db9e0e1360134bce256d
Instruction Fuzzy Hash: 3651B630A18A0D8FDB58DF68D855BEDBBF1FF58310F1042AAD44DD3296DA34A942CB81

Function 00007FFD9B8991E5 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6232982df2dbf7081b463c90f93ccc0d0e309a17fc1453639d94d6ed2b8dbba8
Instruction ID: 7b07bdf52e7c110c7db9690b184f392751b39906d385a2abb454347d0b8727eb
Opcode Fuzzy Hash: 6232982df2dbf7081b463c90f93ccc0d0e309a17fc1453639d94d6ed2b8dbba8
Instruction Fuzzy Hash: 4D61B230B1A95E8FEFA4FBA8C4695AC7BE1FF89304F414479E01DC32E6DE2869418741

Function 00007FFD9B89479C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8c3f4ecfddbd54e1ed401c0327bb5dd030c3e22d604a3c4e536c147bdb9d6e9
Instruction ID: da3ece97993b8b18012c2ddcd563568f434d9c7e3bb2ef47c80d50fdd235a381
Opcode Fuzzy Hash: d8c3f4ecfddbd54e1ed401c0327bb5dd030c3e22d604a3c4e536c147bdb9d6e9
Instruction Fuzzy Hash: 76519330908A1C8FDF68DB58D855BE9BBF1FF59310F1482AAD00DD3292DE34A9858B81

Function 00007FFD9B892688 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64f38dc77b152008e61a21cb6b1342588b9141a178df9eaab3f466f25af408b5
Instruction ID: f9c3cc0eba00706d72f9618b0e5377e3cdae105004374fc1cf1bc8caf909b618
Opcode Fuzzy Hash: 64f38dc77b152008e61a21cb6b1342588b9141a178df9eaab3f466f25af408b5
Instruction Fuzzy Hash: A3513B30E0D68A4FEB5A9BB448316A57FE0EF5A314F1902F9D099D71E7CE2CA842C751

Function 00007FFD9B8919E1 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02b9219c4f8910f965233fdcfc407c7dd823025090e3344446684eec9f8d093
Instruction ID: e5264ff4957c012823f2240a94560c227dbee2cd8447ab5840a81ac1ad5cf640
Opcode Fuzzy Hash: b02b9219c4f8910f965233fdcfc407c7dd823025090e3344446684eec9f8d093
Instruction Fuzzy Hash: 39510F21B0E6C95FDB9AAB784874675AFD1DF8B219B0900FBE089C72E7DD185C06C342

Function 00007FFD9B8994CD Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cdc67bc0e851a98e85bbe77ccefca4817ff5e952bd96f9b920ca636fb7a8d26
Instruction ID: 4d3448b5374675d81a386288909c27cc33635ed30fece79cb22959575e63ef90
Opcode Fuzzy Hash: 2cdc67bc0e851a98e85bbe77ccefca4817ff5e952bd96f9b920ca636fb7a8d26
Instruction Fuzzy Hash: D051F731B1994C4FDB55FB789869AE97BE1EF49310F1640BAE00DC72E6CE28AD42C741

Function 00007FFD9B89923F Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e9c5ce52960e8309ef49587355a96add9ad210dcec590224c87193301b72943
Instruction ID: 67068bb605b062ab6e4b07a9beee56f3d70a5ac5123fa980904250bb6d428858
Opcode Fuzzy Hash: 3e9c5ce52960e8309ef49587355a96add9ad210dcec590224c87193301b72943
Instruction Fuzzy Hash: 5351D530B1E94E4FEF55EB68C8655A87BF1FF99304F4540BAD04DC32E6CE2869428741

Function 00007FFD9B8923E5 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f14dc04b80a862f843d53750ece42e6321ebdaa3e5e115c5c0e03600539fdb5
Instruction ID: 9a5fabd7b7bfc03de0b123c8df2577a8dc367a3476077358156e1298e71df3b4
Opcode Fuzzy Hash: 6f14dc04b80a862f843d53750ece42e6321ebdaa3e5e115c5c0e03600539fdb5
Instruction Fuzzy Hash: 88519134A09A1DCFDFA8EF58C469AA97BE0FF18311F11416ED04AC36A1CB75E841CB41

Function 00007FFD9B890620 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 813c49e5c87b281feb9dea5e0fa6700a44288689f39f66dfc074159207558444
Instruction ID: 7c4cfc56003bb2f4a642672ad39ef35976f6ef8b5407a4f58ff067555f712dd9
Opcode Fuzzy Hash: 813c49e5c87b281feb9dea5e0fa6700a44288689f39f66dfc074159207558444
Instruction Fuzzy Hash: D1415B21F1DA4A0FE7A9B73C48265797BD1DF8A618B0900BBD05DC32EBDD1C6C428352

Function 00007FFD9B890BFE Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cef16d8e11b13717f6a94e4a3ab2690d531a2db0e4bcaa3575dcbbcf5c86dd9b
Instruction ID: 24a1a6adee98a75b17baab9ac088c95459fa11a31d241dd5ce1c03b827be9b83
Opcode Fuzzy Hash: cef16d8e11b13717f6a94e4a3ab2690d531a2db0e4bcaa3575dcbbcf5c86dd9b
Instruction Fuzzy Hash: 95412921B1DA8A0FE7A9B77858295793BD2DF8A618B0940BBD44DC71EBDD1C6C438342

Function 00007FFD9B890FC0 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecb7d1590389ca616a86970eeb8d87b1a28a9070dc9b6fdcb828ef5171df3024
Instruction ID: d20b2faef388a28624428684427df3374140777419434acf25c7f6d8433148ef
Opcode Fuzzy Hash: ecb7d1590389ca616a86970eeb8d87b1a28a9070dc9b6fdcb828ef5171df3024
Instruction Fuzzy Hash: 6741A134609A1DCFDFA8EF98C469AA977E0FB18315F10417ED04AC3AA1CB75E842CB41

Function 00007FFD9B899520 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6b3296445ff707754be6a6f00e53441b995bdae613611a4b29708f975da1936
Instruction ID: f397581300fe32eb798b12ca4ad7cc081800686cee6bb55544130649a41d2e8e
Opcode Fuzzy Hash: f6b3296445ff707754be6a6f00e53441b995bdae613611a4b29708f975da1936
Instruction Fuzzy Hash: D7418331B1890C4FDB98FB68D8A9ABD77E2EF9C314F554479E00ED32A6DE24AC418741

Function 00007FFD9B898E3D Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19a3e930f9880a903f8f940e237281b58127e61545c48375e1775fdaab22c889
Instruction ID: 4097b7716ae041aff393b8b2c00ecbfc82c1adb4b82d76daa0fbfccb263be177
Opcode Fuzzy Hash: 19a3e930f9880a903f8f940e237281b58127e61545c48375e1775fdaab22c889
Instruction Fuzzy Hash: 82419431B0990E4FDF95EBA88469AED7BF2EF5D340B04417AD40DD32A2DF3899428740

Function 00007FFD9B890528 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac5d4d75f62c6747e88610144e07a95ceda8f952e323bd1b39a79cee09016d98
Instruction ID: bb00c7fa90e7e9c79aeaaf7eab993efdd98eb74ec83be2174cfb10946152d018
Opcode Fuzzy Hash: ac5d4d75f62c6747e88610144e07a95ceda8f952e323bd1b39a79cee09016d98
Instruction Fuzzy Hash: 1831F521B1C9494FEB9CFB2C986A678A6C2EF9D705F0501BEE04EC32D7DD689C418341

Function 00007FFD9B890F50 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3ea52581910723a7b7930cb3358d0f27e7d9c387e9293d06465155cf6ea40a
Instruction ID: 8c0cb04f1a81d214c817f14f525b3bb6214c29fb1b22d763dea7e1330109f063
Opcode Fuzzy Hash: 0c3ea52581910723a7b7930cb3358d0f27e7d9c387e9293d06465155cf6ea40a
Instruction Fuzzy Hash: E7416331F0990E8BDF98EBA88465ABD77E1EF58314F15017DD02ED32D6CE28A942C741

Function 00007FFD9B890AB0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd9f6f2672f99ce0c09487451a83658f9b5a4c7f84000a8cae449f04b6b8950f
Instruction ID: eaccb047e3de345cf0dc4571be4409db84d9f3fdc8717d9354e30baf33356d18
Opcode Fuzzy Hash: fd9f6f2672f99ce0c09487451a83658f9b5a4c7f84000a8cae449f04b6b8950f
Instruction Fuzzy Hash: 8D31B351B28D094BEB98B7BC5C697BD66D6EF9C601F40017BF01DC32DAED1869024381

Function 00007FFD9B890949 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a67065ed3cbdf83a7b5b131a4763beeb44bb282ec071f3cd6ec2127d5dcce47d
Instruction ID: e7fcdbf0c4f690ab445190741ef7e2fa3498b17ebc605249892e2b959ed0c0d8
Opcode Fuzzy Hash: a67065ed3cbdf83a7b5b131a4763beeb44bb282ec071f3cd6ec2127d5dcce47d
Instruction Fuzzy Hash: 28318330B18A4E8FEB49FBA89865AED7BE1FF98300F504579D059D32D6DE386842C741

Function 00007FFD9B893145 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6ff14343efb840551083360e7dde48ba016e24c4bebd7d56301fd112bc3a4bd
Instruction ID: 49018c9d8f98c63b6f5634f83e9852b9001fc082826de3ad3014d1589116ae3d
Opcode Fuzzy Hash: f6ff14343efb840551083360e7dde48ba016e24c4bebd7d56301fd112bc3a4bd
Instruction Fuzzy Hash: 75312B25A0F58E8FEB26ABF888745717FA0EF46329B5941BAD088C71E7DA1C5806C351

Function 00007FFD9B89A175 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cc92a0392c67ebb81150725fe057d92897044da617dbb0788b42b7fb48ab22c
Instruction ID: 3b12d866132d72142cc8677d21b6855338b0b31d3cd667e9a6b09d6340390d72
Opcode Fuzzy Hash: 4cc92a0392c67ebb81150725fe057d92897044da617dbb0788b42b7fb48ab22c
Instruction Fuzzy Hash: 1F31E13150CB488FDB19DFA8D845AE9BBF0EF56320F0482AFD099C31A2D734A806CB51

Function 00007FFD9B891165 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 999c3673ac2f62754b68afcd248ab143ed6c06e517e41221be52cd022e8aafc2
Instruction ID: abed16d7f2958c385a3ae965d7d609c52b92c43f703b60e68211255dc64aa61f
Opcode Fuzzy Hash: 999c3673ac2f62754b68afcd248ab143ed6c06e517e41221be52cd022e8aafc2
Instruction Fuzzy Hash: 7331D432B19A4E5FEB58EB98C8B11EDBFB2FF98250F410176D05AD71E6DD2428428741

Function 00007FFD9B89966A Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99794ba97f7501ace8acf0621078443dbcb74502c82dad9ed9003719618e562c
Instruction ID: a12a43551236681d0c77fd2ab431be9baee069de7cd1b86751e0eb60ae05b700
Opcode Fuzzy Hash: 99794ba97f7501ace8acf0621078443dbcb74502c82dad9ed9003719618e562c
Instruction Fuzzy Hash: 95210631F1990D8BEF68EF6894A96BDBBE1EF48350F51057ED40EC32E6CE2469018741

Function 00007FFD9B89A099 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c2ed4b5d2ee1e4f507a627b1c1878daf14b865172ac947f14568e2f1068013
Instruction ID: ac2917c142eddcd595696345da8d5c62c03e671cb7b6abdecfa2e5f64f5776d4
Opcode Fuzzy Hash: f4c2ed4b5d2ee1e4f507a627b1c1878daf14b865172ac947f14568e2f1068013
Instruction Fuzzy Hash: ED215E35B4E6CE4FEB559BA448256EA3FE1EF89204F0540B6D48AC31D3DE1C9A468351

Function 00007FFD9B899F81 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd3854004372ec9da22571942e834f919a46f79369b20ad7eaffbab59a22a9c
Instruction ID: 7c4b664d695225897fe4f2c9c285086d40399f05da4c3e8fb066f1f6b45c4e95
Opcode Fuzzy Hash: 4bd3854004372ec9da22571942e834f919a46f79369b20ad7eaffbab59a22a9c
Instruction Fuzzy Hash: 6C21F610B1DA598BFB0AB7A858297F97AD1EF48700F5442BAE01CC32C7DD1869018392

Function 00007FFD9B890FD0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d689502217c4ad51dd7fd2850844e96c431ca4016f163453fd00dec659f93842
Instruction ID: a55f946abc5851b537dada30c83629ab0ca23822ce2321d8f27dec735e2ff133
Opcode Fuzzy Hash: d689502217c4ad51dd7fd2850844e96c431ca4016f163453fd00dec659f93842
Instruction Fuzzy Hash: 6E118610B1991D8BFB59B7ACA82ABF976C6EB48700F5145B5F01DC32CADD2869018392

Function 00007FFD9B891B81 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e613e54e3e4a1b9a3f77a6c583d5281681190c42411f7533782407d20ca2dc4f
Instruction ID: d280b2ddc67b03908752eb33a07bea9716aefe946eda6cb9ba6aba02bf0eecba
Opcode Fuzzy Hash: e613e54e3e4a1b9a3f77a6c583d5281681190c42411f7533782407d20ca2dc4f
Instruction Fuzzy Hash: 65116F21B0EA994FE755B32C68654717FE0DF9A661B0901FBE4C8C70E7E90459828342

Function 00007FFD9B8987C0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86c16251c13cbd74d5dfb20f27e2c0575f6eecd7fc8cbd0ece07faec2463f95a
Instruction ID: 0ad757205224cf1af49d39d252311f0351b86c6321ca1c65c3fbc2844684612a
Opcode Fuzzy Hash: 86c16251c13cbd74d5dfb20f27e2c0575f6eecd7fc8cbd0ece07faec2463f95a
Instruction Fuzzy Hash: BC012631F1894E4FEB95F76C88166ADB7E1FB48354B0502B6D40DC32A6DE28294347D1

Function 00007FFD9B898941 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0c1cc99fa4ef52ad73ce00f08bbabad3ab2488cafd294bfda6ca5ab6a93edb4
Instruction ID: 4557854d755562c6b4bc99472cae298acb6726c6f1b578c54e29f30f3974439b
Opcode Fuzzy Hash: b0c1cc99fa4ef52ad73ce00f08bbabad3ab2488cafd294bfda6ca5ab6a93edb4
Instruction Fuzzy Hash: 1311E571E0A65D0FDB41ABA888295ED7BB0FF55311F0102BBD418C71D7EE2899418382

Function 00007FFD9B898D69 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3617504571924c0ac80a43c0f8cc772c72b96ba10c5cf0543bea372fd06e8b4
Instruction ID: 5b573b101e6dd63b8b67bfdccf79ec3ed0b42ef6ce09c2e565adb206b95ee2bd
Opcode Fuzzy Hash: c3617504571924c0ac80a43c0f8cc772c72b96ba10c5cf0543bea372fd06e8b4
Instruction Fuzzy Hash: 2C111B307299298FEB89FF2CC499AA973E1FB5830979041B6D50DC3295DF38A8918B45

Function 00007FFD9B891BF1 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deb488fdbedd4f368d615d855ecc6c107648ba7d0cefe77f1da898cb7084b6c5
Instruction ID: 5385db3fb7bdfe76381bdd7c36c38f54f5037eccf5ac550aaa03e8ef76f582fa
Opcode Fuzzy Hash: deb488fdbedd4f368d615d855ecc6c107648ba7d0cefe77f1da898cb7084b6c5
Instruction Fuzzy Hash: 0D112651E0E7C55FE766A7244C358687FB1AFA7654B4E00EBD0C8CB0E7D90CA9898352

Function 00007FFD9B892071 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1c2b73a027c81c383ddfb5fbb7deb30a56e1b6fab27bb62586c02a539b3c06a
Instruction ID: 9730e7dfcb70357dc59e935be26f2f0b7e06673e2781bf51991c1cb35fb809e4
Opcode Fuzzy Hash: f1c2b73a027c81c383ddfb5fbb7deb30a56e1b6fab27bb62586c02a539b3c06a
Instruction Fuzzy Hash: 18F0902294F7D90FEB175BB04C399A57FB0AF57100B0A46DBD488CB0A3CA19660AC392

Function 00007FFD9B890F78 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 271e5fd071f79cdee4fa5992c2a5af6b1340bd205fccdec16531cb226bb7f3f2
Instruction ID: ae5c7a273a28907ae2aa3f58bbc5b6eb029c3f498e05a28e67a2cd4bc40f1ce0
Opcode Fuzzy Hash: 271e5fd071f79cdee4fa5992c2a5af6b1340bd205fccdec16531cb226bb7f3f2
Instruction Fuzzy Hash: 3AF08131F1581E4EDB50ABA898595FE77F0FF58305F000277E519D2199DE34694147C2

Function 00007FFD9B89236D Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a399342597595ab20871badd9e0bf9a60191200d2df0da411cc6e988d5b843
Instruction ID: 66f1393a2f4f56236afa1988fe5039918ecfc8c81fd0667005374a0519d24215
Opcode Fuzzy Hash: 52a399342597595ab20871badd9e0bf9a60191200d2df0da411cc6e988d5b843
Instruction Fuzzy Hash: 7501F711F1E64A4FFB686BB448755782A90EF58304F1200B9D049C76E7DE9C69428342

Function 00007FFD9B890FD8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4128930329.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_r8gcHFIf3x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd6fd408ab43341644fdb692fb7e85d51b52eaf76ee4dfea6b99fd186d8820cd
Instruction ID: 5ede8b81b89a7dee4954a26ad54e9f2da1594fb2769f7bfba652daac6fc0a6c6
Opcode Fuzzy Hash: dd6fd408ab43341644fdb692fb7e85d51b52eaf76ee4dfea6b99fd186d8820cd
Instruction Fuzzy Hash: 1DB01201DA780E00DC2433F50856164B8405F4C100FC60470D809801D9984D13944182

Analysis Process: svchost.exePID: 5040, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9B8B1289 Relevance: .6, Instructions: 630COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845818320.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b8b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84819cff74b3cc9cbeb75a7559a39537b9ab8e0a6ba921880f1b641ce40311b9
Instruction ID: 7b5840c823ab42837cb7fa3ee6ce05b2de89c398a6e85757c42daec1bfb2c1ed
Opcode Fuzzy Hash: 84819cff74b3cc9cbeb75a7559a39537b9ab8e0a6ba921880f1b641ce40311b9
Instruction Fuzzy Hash: 3612B661B29A594FE798FB7C9869AB977D2FF9C300F40057DE01DC32D6DE28A8418781

Function 00007FFD9B8B0E92 Relevance: .4, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845818320.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b8b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 641823fa27e2c1d23072cce5d7ae032ece3e35fe412e53a7e1afdf863219a898
Instruction ID: 77478758118dbc596bf9c29ff8d69393d19ee4e72a5493545b95b0b80d9f445e
Opcode Fuzzy Hash: 641823fa27e2c1d23072cce5d7ae032ece3e35fe412e53a7e1afdf863219a898
Instruction Fuzzy Hash: F2412632F19A5A4FE748EBBCE8B54E97BB1EF45254F4401B7D049CB1E3ED2828468781

Function 00007FFD9B8B19E1 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845818320.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b8b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2d3702cb29b70fd0506005975376ab4c75d5fbfc5b6ac6d2bcfabf3dd0f765
Instruction ID: fc1f4c1b9427dc5834f0f35e4b83145e95962d14c7ef29a5cd2e9ec4d66ff613
Opcode Fuzzy Hash: ee2d3702cb29b70fd0506005975376ab4c75d5fbfc5b6ac6d2bcfabf3dd0f765
Instruction Fuzzy Hash: D5511F10B1E6C94FD79AAB785874675AFE1DF8B219B0900FAE089C71E7DD186806C382

Function 00007FFD9B8B0BFE Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845818320.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b8b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e8d5d1bfbf591bd73b869dc8205c4c06a323ef9d15c2cccfead668f08e0acfa
Instruction ID: ad14117527fd5888df6af28018f8206b6cb11bfe328db1c76faf4e3b72dda41d
Opcode Fuzzy Hash: 7e8d5d1bfbf591bd73b869dc8205c4c06a323ef9d15c2cccfead668f08e0acfa
Instruction Fuzzy Hash: D3510621B1E78A0FE3A6A77C48265797BE1DF8A614B0900FBD48DC71EBDD1C5C468392

Function 00007FFD9B8B0528 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845818320.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b8b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d8a012e41792518ec6665d608befff433cb04fa5d569c609971e7e414210d1
Instruction ID: 83663f99ceaac57e7c4084eb4e9912e0b7799d7b293808f11f2049741a2ec85a
Opcode Fuzzy Hash: 68d8a012e41792518ec6665d608befff433cb04fa5d569c609971e7e414210d1
Instruction Fuzzy Hash: 29310821B189490FEB98FB2C986A678B7C2EF9C705F0505BEE04EC32E7DD24AC418341

Function 00007FFD9B8B0A91 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845818320.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b8b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 752796bc91c11e277f0a9c325ff602264de6be81ef997d8a240502575920387c
Instruction ID: 048fb1180f690cc1d7a70362efd1dc93b8e7d3332747aac5fbc389e5185b1533
Opcode Fuzzy Hash: 752796bc91c11e277f0a9c325ff602264de6be81ef997d8a240502575920387c
Instruction Fuzzy Hash: 3F31E551B28A594BE758BBBC5C297BD77D2EF99601F0501BBE00DC32E7DD1869018781

Function 00007FFD9B8B0949 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845818320.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b8b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cc099e87b48f2b654bb6b1e7487be70e6945282981cc30213a574c9b15640f4
Instruction ID: 2345194c819787f5a6b2c0d591a32e395db3a52410fc7bf97bf21cfa79a16413
Opcode Fuzzy Hash: 1cc099e87b48f2b654bb6b1e7487be70e6945282981cc30213a574c9b15640f4
Instruction Fuzzy Hash: 8A31A030B19A1E8FEB48EBB89865AFDB7A1FF98300F500479D019C32C6DE386941C781

Function 00007FFD9B8B1B81 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1845818320.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b8b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dcf9eb0282868d7060e1419fde6043d6f92e6e870433a532bb50f427ed67b9d
Instruction ID: b98b935a462c99425243962a381317fe07fe0397e1236f0b8bd12db951a14a83
Opcode Fuzzy Hash: 8dcf9eb0282868d7060e1419fde6043d6f92e6e870433a532bb50f427ed67b9d
Instruction Fuzzy Hash: 46116311B1E7A90FE755B77C68654717FE0DF4966170905FBD488CB0E3E904594187C1

Analysis Process: svchost.exePID: 5956, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9B8B1289 Relevance: .6, Instructions: 630COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1922500854.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b8b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbd974f887150169526810a5f85abddd15a6b6ab218040135319e138c45d50e5
Instruction ID: 5714fc40e8387ca748e34ed30a3a2ce1882b02259170dd800c6c4e76d3e5fc91
Opcode Fuzzy Hash: cbd974f887150169526810a5f85abddd15a6b6ab218040135319e138c45d50e5
Instruction Fuzzy Hash: FE12E671B29A5D4FE798FB788865AB977D2FF9C340F400579E01EC32D6DE28A9018781

Function 00007FFD9B8B0E92 Relevance: .4, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1922500854.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b8b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfdb5b7e3f2f4be55bdbd367b84eca4a07673dfeae7bb7385b35609acb225b94
Instruction ID: e42c50f302b112fb911903ca34c059e948a71b6550d545171a7dbda3db002023
Opcode Fuzzy Hash: cfdb5b7e3f2f4be55bdbd367b84eca4a07673dfeae7bb7385b35609acb225b94
Instruction Fuzzy Hash: 60412532F1DA5A4FE748EBA8ECB54E97BB1EF45250F4401B3D059CB1E3ED2829468781

Function 00007FFD9B8B19E1 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1922500854.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b8b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11185232db29fa9dba31e46238fa29dbd503abe98392500091cc78dda6b38112
Instruction ID: e34c6855943c13ec01a8124a9a32bbe3d7cdda1826fb2a7af0c663130e589c19
Opcode Fuzzy Hash: 11185232db29fa9dba31e46238fa29dbd503abe98392500091cc78dda6b38112
Instruction Fuzzy Hash: B4511110B1E6C94FD79AAB785874675BFD1DF8B219B0900FAE089C71E7DD186806C382

Function 00007FFD9B8B0BFE Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1922500854.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b8b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0af06c220f44b919aa55d100f741a20014cee28502b3231cead7f9eca2b7128
Instruction ID: 5409044c94297263f772c7d11207b3aca90963dab6c483ebc66dcbe245316454
Opcode Fuzzy Hash: f0af06c220f44b919aa55d100f741a20014cee28502b3231cead7f9eca2b7128
Instruction Fuzzy Hash: A6511921B1E68A0FE366A77C48365797BE1DF8A614B0900FBD48DC71EBDD1C5C468392

Function 00007FFD9B8B0528 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1922500854.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b8b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a7be38614026d054bcc805d46e3ba2fb91345954bfa62f071e3af58074dc11
Instruction ID: d880cad5eb08cbd26e6f56007a6c8905deb1c1799f24df179449822b7542ca4e
Opcode Fuzzy Hash: 58a7be38614026d054bcc805d46e3ba2fb91345954bfa62f071e3af58074dc11
Instruction Fuzzy Hash: D0310821B189490FEB98FB2C986A678B7C2EF9C705F0505BEE04EC32E7DD24AC418341

Function 00007FFD9B8B0A91 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1922500854.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b8b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 752796bc91c11e277f0a9c325ff602264de6be81ef997d8a240502575920387c
Instruction ID: 048fb1180f690cc1d7a70362efd1dc93b8e7d3332747aac5fbc389e5185b1533
Opcode Fuzzy Hash: 752796bc91c11e277f0a9c325ff602264de6be81ef997d8a240502575920387c
Instruction Fuzzy Hash: 3F31E551B28A594BE758BBBC5C297BD77D2EF99601F0501BBE00DC32E7DD1869018781

Function 00007FFD9B8B0949 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1922500854.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b8b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e69fdedbb07736cdfd2ce5e51ecdecbb3e3d2cc0a2defb366f5f75ccab4af3
Instruction ID: 94ecedbc565baa3fa5e77446ba8ab88ed2d6136c4f789a74caafabed9400f980
Opcode Fuzzy Hash: 30e69fdedbb07736cdfd2ce5e51ecdecbb3e3d2cc0a2defb366f5f75ccab4af3
Instruction Fuzzy Hash: 2531A070B19A1E8FDB48EBB8D865AEDB7A1FF98300F900479D019C32C6DE386941C781

Function 00007FFD9B8B1B81 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1922500854.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b8b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f8edc13303798b4dc5ef37dfb0cce59a15c8eb2c1ef0480514a40007c013fca
Instruction ID: ff7c63885152d1f170075febbc1cff51d421a823af630c15931269e962a3d5ff
Opcode Fuzzy Hash: 0f8edc13303798b4dc5ef37dfb0cce59a15c8eb2c1ef0480514a40007c013fca
Instruction Fuzzy Hash: 2C116321B1E6A90FE755B77C68654717FE0DF4966170905FBD488C70E3E9045A8187C1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report r8gcHFIf3x.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

C:\Users\user\AppData\Roaming\svchost.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
r8gcHFIf3x.exe