Edit tour

Windows Analysis Report
dr2YKJiGH9.exe

Overview

General Information

Sample name:	dr2YKJiGH9.exe renamed because original name is a hash value
Original sample name:	c8856be839712fe0022a473cd52de6be3473e5397b8c14f3227741271ab3285b.exe
Analysis ID:	1579071
MD5:	3f274a8a97f22ca6c3eec0d2da85306f
SHA1:	708fd86e458df8e1246bbaf813037a2f7424d11d
SHA256:	c8856be839712fe0022a473cd52de6be3473e5397b8c14f3227741271ab3285b
Tags:	exeuser-Chainskilabs
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Creates autostart registry keys with suspicious names

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

dr2YKJiGH9.exe (PID: 6508 cmdline: "C:\Users\user\Desktop\dr2YKJiGH9.exe" MD5: 3F274A8A97F22CA6C3EEC0D2DA85306F)

schtasks.exe (PID: 5428 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77svchost" /tr "C:\Users\user\AppData\Roaming\$77svchost.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 8 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

$77svchost.exe (PID: 6988 cmdline: C:\Users\user\AppData\Roaming\$77svchost.exe MD5: 3F274A8A97F22CA6C3EEC0D2DA85306F)

$77svchost.exe (PID: 6296 cmdline: "C:\Users\user\AppData\Roaming\$77svchost.exe" MD5: 3F274A8A97F22CA6C3EEC0D2DA85306F)

$77svchost.exe (PID: 3592 cmdline: "C:\Users\user\AppData\Roaming\$77svchost.exe" MD5: 3F274A8A97F22CA6C3EEC0D2DA85306F)

$77svchost.exe (PID: 1308 cmdline: C:\Users\user\AppData\Roaming\$77svchost.exe MD5: 3F274A8A97F22CA6C3EEC0D2DA85306F)

$77svchost.exe (PID: 2212 cmdline: C:\Users\user\AppData\Roaming\$77svchost.exe MD5: 3F274A8A97F22CA6C3EEC0D2DA85306F)

$77svchost.exe (PID: 2800 cmdline: C:\Users\user\AppData\Roaming\$77svchost.exe MD5: 3F274A8A97F22CA6C3EEC0D2DA85306F)

$77svchost.exe (PID: 6452 cmdline: C:\Users\user\AppData\Roaming\$77svchost.exe MD5: 3F274A8A97F22CA6C3EEC0D2DA85306F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["147.185.221.23"], "Port": 21083, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
dr2YKJiGH9.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
dr2YKJiGH9.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8f0c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8fa9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x90be:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8cf0:$cnc4: POST / HTTP/1.1

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\$77svchost.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Roaming\$77svchost.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8f0c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8fa9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x90be:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8cf0:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1669084801.0000000000662000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1669084801.0000000000662000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8d0c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8da9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8ebe:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8af0:$cnc4: POST / HTTP/1.1
Process Memory Space: dr2YKJiGH9.exe PID: 6508	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.dr2YKJiGH9.exe.660000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.dr2YKJiGH9.exe.660000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8f0c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8fa9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x90be:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8cf0:$cnc4: POST / HTTP/1.1

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\$77svchost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\dr2YKJiGH9.exe, ProcessId: 6508, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77svchost

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\dr2YKJiGH9.exe, ProcessId: 6508, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77svchost.lnk

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77svchost" /tr "C:\Users\user\AppData\Roaming\$77svchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77svchost" /tr "C:\Users\user\AppData\Roaming\$77svchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\dr2YKJiGH9.exe", ParentImage: C:\Users\user\Desktop\dr2YKJiGH9.exe, ParentProcessId: 6508, ParentProcessName: dr2YKJiGH9.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77svchost" /tr "C:\Users\user\AppData\Roaming\$77svchost.exe", ProcessId: 5428, ProcessName: schtasks.exe

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77svchost" /tr "C:\Users\user\AppData\Roaming\$77svchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77svchost" /tr "C:\Users\user\AppData\Roaming\$77svchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\dr2YKJiGH9.exe", ParentImage: C:\Users\user\Desktop\dr2YKJiGH9.exe, ParentProcessId: 6508, ParentProcessName: dr2YKJiGH9.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77svchost" /tr "C:\Users\user\AppData\Roaming\$77svchost.exe", ProcessId: 5428, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-20T19:06:28.049346+0100	2853193	1	Malware Command and Control Activity Detected	192.168.2.4	49929	147.185.221.23	21083	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: dr2YKJiGH9.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\$77svchost.exe

Avira: detection malicious, Label: HEUR/AGEN.1305769

Found malware configuration

Source: dr2YKJiGH9.exe

Malware Configuration Extractor: Xworm {"C2 url": ["147.185.221.23"], "Port": 21083, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\$77svchost.exe

ReversingLabs: Detection: 76%

Multi AV Scanner detection for submitted file

Source: dr2YKJiGH9.exe

ReversingLabs: Detection: 76%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\$77svchost.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: dr2YKJiGH9.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: dr2YKJiGH9.exe	String decryptor: 147.185.221.23
Source: dr2YKJiGH9.exe	String decryptor: 21083
Source: dr2YKJiGH9.exe	String decryptor: <123456789>
Source: dr2YKJiGH9.exe	String decryptor: <Xwormmm>
Source: dr2YKJiGH9.exe	String decryptor: XWorm V5.6
Source: dr2YKJiGH9.exe	String decryptor: USB.exe
Source: dr2YKJiGH9.exe	String decryptor: %AppData%
Source: dr2YKJiGH9.exe	String decryptor: $77svchost.exe

Source: dr2YKJiGH9.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: dr2YKJiGH9.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49730 -> 147.185.221.23:21083
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49929 -> 147.185.221.23:21083

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 147.185.221.23

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 147.185.221.23 ports 0,1,2,3,8,21083

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 147.185.221.23:21083

Source: Joe Sandbox View

IP Address: 147.185.221.23 147.185.221.23

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.23

Source: dr2YKJiGH9.exe, 00000000.00000002.4117224058.0000000000B0B000.00000004.00000020.00020000.00000000.sdmp, $77svchost.exe, 0000000B.00000002.2951132885.0000000001038000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic
Source: dr2YKJiGH9.exe, 00000000.00000002.4117934531.00000000029B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Malicious sample detected (through community Yara rule)

Source: dr2YKJiGH9.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.dr2YKJiGH9.exe.660000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1669084801.0000000000662000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\$77svchost.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Code function: 0_2_00007FFD9B8B1249	0_2_00007FFD9B8B1249
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Code function: 0_2_00007FFD9B8B7376	0_2_00007FFD9B8B7376
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Code function: 0_2_00007FFD9B8B8122	0_2_00007FFD9B8B8122
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Code function: 0_2_00007FFD9B8B1289	0_2_00007FFD9B8B1289
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Code function: 3_2_00007FFD9B8A1249	3_2_00007FFD9B8A1249
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Code function: 3_2_00007FFD9B8A1289	3_2_00007FFD9B8A1289
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Code function: 4_2_00007FFD9B881249	4_2_00007FFD9B881249
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Code function: 4_2_00007FFD9B881289	4_2_00007FFD9B881289
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Code function: 6_2_00007FFD9B8B1249	6_2_00007FFD9B8B1249
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Code function: 6_2_00007FFD9B8B1289	6_2_00007FFD9B8B1289
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Code function: 9_2_00007FFD9B881249	9_2_00007FFD9B881249
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Code function: 9_2_00007FFD9B881289	9_2_00007FFD9B881289
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Code function: 11_2_00007FFD9B881249	11_2_00007FFD9B881249
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Code function: 11_2_00007FFD9B881289	11_2_00007FFD9B881289
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Code function: 12_2_00007FFD9B8B1249	12_2_00007FFD9B8B1249
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Code function: 12_2_00007FFD9B8B1289	12_2_00007FFD9B8B1289
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Code function: 13_2_00007FFD9B881249	13_2_00007FFD9B881249
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Code function: 13_2_00007FFD9B881289	13_2_00007FFD9B881289

Source: dr2YKJiGH9.exe, 00000000.00000000.1669084801.0000000000662000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameown.exe4 vs dr2YKJiGH9.exe
Source: dr2YKJiGH9.exe	Binary or memory string: OriginalFilenameown.exe4 vs dr2YKJiGH9.exe

Source: dr2YKJiGH9.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: dr2YKJiGH9.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.dr2YKJiGH9.exe.660000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1669084801.0000000000662000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\$77svchost.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: dr2YKJiGH9.exe, mTWy3VBRiC.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: dr2YKJiGH9.exe, mTWy3VBRiC.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: dr2YKJiGH9.exe, YZuRLFAH3p.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: $77svchost.exe.0.dr, mTWy3VBRiC.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: $77svchost.exe.0.dr, mTWy3VBRiC.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: $77svchost.exe.0.dr, YZuRLFAH3p.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: $77svchost.exe.0.dr, LQSr3Qs5WvGUiUEIPtesV7k3.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: $77svchost.exe.0.dr, LQSr3Qs5WvGUiUEIPtesV7k3.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: dr2YKJiGH9.exe, LQSr3Qs5WvGUiUEIPtesV7k3.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: dr2YKJiGH9.exe, LQSr3Qs5WvGUiUEIPtesV7k3.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/3@0/1

Source: C:\Users\user\Desktop\dr2YKJiGH9.exe

File created: C:\Users\user\AppData\Roaming\$77svchost.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Mutant created: \Sessions\1\BaseNamedObjects\iK7wYvBd9W7rfkjX
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8:120:WilError_03

Source: dr2YKJiGH9.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: dr2YKJiGH9.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\dr2YKJiGH9.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\dr2YKJiGH9.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: dr2YKJiGH9.exe

ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\dr2YKJiGH9.exe

File read: C:\Users\user\Desktop\dr2YKJiGH9.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\dr2YKJiGH9.exe "C:\Users\user\Desktop\dr2YKJiGH9.exe"
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77svchost" /tr "C:\Users\user\AppData\Roaming\$77svchost.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\$77svchost.exe C:\Users\user\AppData\Roaming\$77svchost.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\$77svchost.exe "C:\Users\user\AppData\Roaming\$77svchost.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\$77svchost.exe "C:\Users\user\AppData\Roaming\$77svchost.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\$77svchost.exe C:\Users\user\AppData\Roaming\$77svchost.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\$77svchost.exe C:\Users\user\AppData\Roaming\$77svchost.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\$77svchost.exe C:\Users\user\AppData\Roaming\$77svchost.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\$77svchost.exe C:\Users\user\AppData\Roaming\$77svchost.exe
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77svchost" /tr "C:\Users\user\AppData\Roaming\$77svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\dr2YKJiGH9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: $77svchost.lnk.0.dr

LNK file: ..\..\..\..\..\$77svchost.exe

Source: dr2YKJiGH9.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: dr2YKJiGH9.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: dr2YKJiGH9.exe, EUpYy6ggjJ.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{YAum5WDquurJYksPIE4APZrx.JFYh2WGZXXsEnsMWtLnXPP4o,YAum5WDquurJYksPIE4APZrx.Kc1aHz0iuO7bjjPIQvQSh0D8,YAum5WDquurJYksPIE4APZrx._7eom7SQskwcOIs6vpw6CoWO2,YAum5WDquurJYksPIE4APZrx.T2UPXh9xixUcsoUUeM1t1Lj4,mTWy3VBRiC._3WgHERIewL()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: dr2YKJiGH9.exe, EUpYy6ggjJ.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{wQVyBMfpkc[2],mTWy3VBRiC.qsXQv0lorB(Convert.FromBase64String(wQVyBMfpkc[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: $77svchost.exe.0.dr, EUpYy6ggjJ.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{YAum5WDquurJYksPIE4APZrx.JFYh2WGZXXsEnsMWtLnXPP4o,YAum5WDquurJYksPIE4APZrx.Kc1aHz0iuO7bjjPIQvQSh0D8,YAum5WDquurJYksPIE4APZrx._7eom7SQskwcOIs6vpw6CoWO2,YAum5WDquurJYksPIE4APZrx.T2UPXh9xixUcsoUUeM1t1Lj4,mTWy3VBRiC._3WgHERIewL()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: $77svchost.exe.0.dr, EUpYy6ggjJ.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{wQVyBMfpkc[2],mTWy3VBRiC.qsXQv0lorB(Convert.FromBase64String(wQVyBMfpkc[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: dr2YKJiGH9.exe, EUpYy6ggjJ.cs	.Net Code: eqtLfUUYz6 System.AppDomain.Load(byte[])
Source: dr2YKJiGH9.exe, EUpYy6ggjJ.cs	.Net Code: _98IJJd0mAC System.AppDomain.Load(byte[])
Source: dr2YKJiGH9.exe, EUpYy6ggjJ.cs	.Net Code: _98IJJd0mAC
Source: $77svchost.exe.0.dr, EUpYy6ggjJ.cs	.Net Code: eqtLfUUYz6 System.AppDomain.Load(byte[])
Source: $77svchost.exe.0.dr, EUpYy6ggjJ.cs	.Net Code: _98IJJd0mAC System.AppDomain.Load(byte[])
Source: $77svchost.exe.0.dr, EUpYy6ggjJ.cs	.Net Code: _98IJJd0mAC

Source: dr2YKJiGH9.exe, EUpYy6ggjJ.cs	High entropy of concatenated method names: 'i4LstRTDRq', 'eqtLfUUYz6', 'Jkh1MavsgW', 'JkRugYtDJJ', '_2BtSpVidw3', 'g1gvgSfZyn', 'thlo4eiqP1', 'UdyetKfUgq', 'k6gtDAh3qw', 'Qin4PdbptZ'
Source: dr2YKJiGH9.exe, hmYo7BF7lOkhUc6aRaxlQ0X5.cs	High entropy of concatenated method names: 'AGhqtwCEqAwctg6PNQUOxWtk', 'ES4o0BPYC1D4RZru1aGmBVAw', 'TjXZsOcjLqYSYih35mzj9jyZ', '_3hHTJAHXJ5', 'uuRnEyp1AA', 'lpYO1ImrWL', 'j1sejTqTFg', 'Mal5Bfde6Z', 'GWsQyaeOnH', 'bAnrZim2dg'
Source: dr2YKJiGH9.exe, LQSr3Qs5WvGUiUEIPtesV7k3.cs	High entropy of concatenated method names: 'uHAVKLVUy9PDDRuPRFfzj5ev', 'q2tqzNzdxc', 'j4QQz7Lhei', 'AupHIdWmUB', '_9bN3ON1oTE', 'u1duWOB54b', 'xIQQFT17NM', '_4IRIIkMrvq', 'KOAVpY15uZ', 'XCjljseKG8'
Source: dr2YKJiGH9.exe, mTWy3VBRiC.cs	High entropy of concatenated method names: 'wFM9faywGi', 'EfC5npPEAk', '_0Iq6ssDtT4', 'TJYfEp2n6R', 'sQgGaV8zmu', '_7AHq824eiE', '_8ppClCfeQ2', 'zOBEXsSiXV', 'CpfQQUkfEu', '_2K4HM7rbp0'
Source: $77svchost.exe.0.dr, EUpYy6ggjJ.cs	High entropy of concatenated method names: 'i4LstRTDRq', 'eqtLfUUYz6', 'Jkh1MavsgW', 'JkRugYtDJJ', '_2BtSpVidw3', 'g1gvgSfZyn', 'thlo4eiqP1', 'UdyetKfUgq', 'k6gtDAh3qw', 'Qin4PdbptZ'
Source: $77svchost.exe.0.dr, hmYo7BF7lOkhUc6aRaxlQ0X5.cs	High entropy of concatenated method names: 'AGhqtwCEqAwctg6PNQUOxWtk', 'ES4o0BPYC1D4RZru1aGmBVAw', 'TjXZsOcjLqYSYih35mzj9jyZ', '_3hHTJAHXJ5', 'uuRnEyp1AA', 'lpYO1ImrWL', 'j1sejTqTFg', 'Mal5Bfde6Z', 'GWsQyaeOnH', 'bAnrZim2dg'
Source: $77svchost.exe.0.dr, LQSr3Qs5WvGUiUEIPtesV7k3.cs	High entropy of concatenated method names: 'uHAVKLVUy9PDDRuPRFfzj5ev', 'q2tqzNzdxc', 'j4QQz7Lhei', 'AupHIdWmUB', '_9bN3ON1oTE', 'u1duWOB54b', 'xIQQFT17NM', '_4IRIIkMrvq', 'KOAVpY15uZ', 'XCjljseKG8'
Source: $77svchost.exe.0.dr, mTWy3VBRiC.cs	High entropy of concatenated method names: 'wFM9faywGi', 'EfC5npPEAk', '_0Iq6ssDtT4', 'TJYfEp2n6R', 'sQgGaV8zmu', '_7AHq824eiE', '_8ppClCfeQ2', 'zOBEXsSiXV', 'CpfQQUkfEu', '_2K4HM7rbp0'

Source: C:\Users\user\Desktop\dr2YKJiGH9.exe

File created: C:\Users\user\AppData\Roaming\$77svchost.exe

Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\dr2YKJiGH9.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $77svchost

Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\dr2YKJiGH9.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77svchost" /tr "C:\Users\user\AppData\Roaming\$77svchost.exe"

Source: C:\Users\user\Desktop\dr2YKJiGH9.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77svchost.lnk

Jump to behavior

Source: C:\Users\user\Desktop\dr2YKJiGH9.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77svchost.lnk

Jump to behavior

Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $77svchost			Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $77svchost			Jump to behavior

Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Memory allocated: FA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Memory allocated: 1A9B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Memory allocated: CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Memory allocated: 1A750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Memory allocated: 21E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Memory allocated: 1A440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Memory allocated: F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Memory allocated: 1AC30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Memory allocated: A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Memory allocated: 1A7B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Memory allocated: 1110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Memory allocated: 1AEB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Memory allocated: 1110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Memory allocated: 1AE20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Memory allocated: E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Memory allocated: 1AB80000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Window / User API: threadDelayed 4223			Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Window / User API: threadDelayed 5612			Jump to behavior

Source: C:\Users\user\Desktop\dr2YKJiGH9.exe TID: 2836	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe TID: 5960	Thread sleep count: 4223 > 30	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe TID: 5960	Thread sleep count: 5612 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe TID: 2664	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe TID: 5016	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe TID: 3084	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe TID: 1028	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe TID: 3520	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe TID: 3496	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: dr2YKJiGH9.exe, 00000000.00000002.4120318677.000000001B5F0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\dr2YKJiGH9.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\dr2YKJiGH9.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77svchost" /tr "C:\Users\user\AppData\Roaming\$77svchost.exe"

Jump to behavior

Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Queries volume information: C:\Users\user\Desktop\dr2YKJiGH9.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\$77svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\$77svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\$77svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\$77svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\$77svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\$77svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\$77svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\$77svchost.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\dr2YKJiGH9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: dr2YKJiGH9.exe, 00000000.00000002.4120318677.000000001B6AE000.00000004.00000020.00020000.00000000.sdmp, dr2YKJiGH9.exe, 00000000.00000002.4120318677.000000001B67F000.00000004.00000020.00020000.00000000.sdmp, dr2YKJiGH9.exe, 00000000.00000002.4120318677.000000001B6B2000.00000004.00000020.00020000.00000000.sdmp, dr2YKJiGH9.exe, 00000000.00000002.4120318677.000000001B644000.00000004.00000020.00020000.00000000.sdmp, dr2YKJiGH9.exe, 00000000.00000002.4117224058.0000000000B0B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: dr2YKJiGH9.exe, 00000000.00000002.4120318677.000000001B6B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\dr2YKJiGH9.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: dr2YKJiGH9.exe, type: SAMPLE
Source: Yara match	File source: 0.0.dr2YKJiGH9.exe.660000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1669084801.0000000000662000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dr2YKJiGH9.exe PID: 6508, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\$77svchost.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: dr2YKJiGH9.exe, type: SAMPLE
Source: Yara match	File source: 0.0.dr2YKJiGH9.exe.660000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1669084801.0000000000662000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dr2YKJiGH9.exe PID: 6508, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\$77svchost.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	121 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	131 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	121 Registry Run Keys / Startup Folder	131 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	11 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	23 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
dr2YKJiGH9.exe	76%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
dr2YKJiGH9.exe	100%	Avira	HEUR/AGEN.1305769
dr2YKJiGH9.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\$77svchost.exe	100%	Avira	HEUR/AGEN.1305769
C:\Users\user\AppData\Roaming\$77svchost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\$77svchost.exe	76%	ReversingLabs	Win32.Exploit.Xworm

Name	Malicious	Antivirus Detection	Reputation
147.185.221.23	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	dr2YKJiGH9.exe, 00000000.00000002.4117934531.00000000029B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://go.mic	dr2YKJiGH9.exe, 00000000.00000002.4117224058.0000000000B0B000.00000004.00000020.00020000.00000000.sdmp, $77svchost.exe, 0000000B.00000002.2951132885.0000000001038000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.23	unknown	United States		12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579071
Start date and time:	2024-12-20 19:03:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	dr2YKJiGH9.exe renamed because original name is a hash value
Original Sample Name:	c8856be839712fe0022a473cd52de6be3473e5397b8c14f3227741271ab3285b.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/3@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 113 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target $77svchost.exe, PID 1308 because it is empty
Execution Graph export aborted for target $77svchost.exe, PID 2212 because it is empty
Execution Graph export aborted for target $77svchost.exe, PID 2800 because it is empty
Execution Graph export aborted for target $77svchost.exe, PID 3592 because it is empty
Execution Graph export aborted for target $77svchost.exe, PID 6296 because it is empty
Execution Graph export aborted for target $77svchost.exe, PID 6452 because it is empty
Execution Graph export aborted for target $77svchost.exe, PID 6988 because it is empty
Execution Graph export aborted for target dr2YKJiGH9.exe, PID 6508 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: dr2YKJiGH9.exe

Simulations

Behavior and APIs

Time	Type	Description
13:04:01	API Interceptor	13189921x Sleep call for process: dr2YKJiGH9.exe modified
18:04:01	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run $77svchost C:\Users\user\AppData\Roaming\$77svchost.exe
18:04:02	Task Scheduler	Run new task: $77svchost path: C:\Users\user\AppData\Roaming\$77svchost.exe
18:04:09	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run $77svchost C:\Users\user\AppData\Roaming\$77svchost.exe
18:04:18	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77svchost.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.185.221.23	jSm8N1jXbk.exe	Get hash	malicious	S400 RAT	Browse
	enigma_loader.exe	Get hash	malicious	XWorm	Browse
	exe006.exe	Get hash	malicious	SheetRat	Browse
	yF21ypxRB7.exe	Get hash	malicious	XWorm	Browse
	9GlCWW6bXc.exe	Get hash	malicious	XWorm	Browse
	fiPZoO6xvJ.exe	Get hash	malicious	XWorm	Browse
	EternalPredictor.exe	Get hash	malicious	Blank Grabber, Skuld Stealer, XWorm	Browse
	eternal.exe	Get hash	malicious	XWorm	Browse
	svchost.exe	Get hash	malicious	Unknown	Browse
	msedge_visual_render.exe	Get hash	malicious	XWorm	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	KJhsNv2RcI.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	PjGz899RZV.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	ehxF3rusxJ.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	147.184.134.130
	Client-built-Playit.exe	Get hash	malicious	Quasar	Browse	147.185.221.24
	PowerRat.exe	Get hash	malicious	AsyncRAT	Browse	147.185.221.211
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, Xmrig	Browse	147.185.221.24
	msedge.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	imagelogger.exe	Get hash	malicious	XWorm	Browse	147.185.221.229
	NJRAT DANGEROUS.exe	Get hash	malicious	XWorm	Browse	147.185.221.181

Process:	C:\Users\user\AppData\Roaming\$77svchost.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Roaming\$77svchost.exe

Download File

Process:	C:\Users\user\Desktop\dr2YKJiGH9.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	43008
Entropy (8bit):	5.740482218883961
Encrypted:	false
SSDEEP:	768:boP1CHDCozW8kSC0mqC8dtyi2Xejkv/GwvokbyG1h1BO1hWL/L:28mozbbxLlk2wAkbyG1TBO1AP
MD5:	3F274A8A97F22CA6C3EEC0D2DA85306F
SHA1:	708FD86E458DF8E1246BBAF813037A2F7424D11D
SHA-256:	C8856BE839712FE0022A473CD52DE6BE3473E5397B8C14F3227741271AB3285B
SHA-512:	7604F1FA42090562FE8967A92509A042B5B98E7C550DC758253936D3340D566546C79AF9B0E5F4C8F14DD70C0FDAA5E8AFF247D8B534DE3D63B161ADA10DA654
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\$77svchost.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\$77svchost.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....dg................................ ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H....... W..`e......&.....................................................(.....r...p. .j....(.....r...p. S....s.........s.........s.........s..........r-..p. .x!..rC..p. .....rY..p. ..s..ro..p. .W...r...p. ..e...((....rM..p. ~.H..rc..p. ....&(....&+..+5sR... .... .'..oS...(...~....-.(A...(3...~....oT...&.-..r/..p. z....rE..p.r[..p. ?.z..rq..p. .(T...............j..................sU.............."(C...+.:.t....(>...+..r...p. K....r...p.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77svchost.lnk

Download File

Process:	C:\Users\user\Desktop\dr2YKJiGH9.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Dec 20 17:04:01 2024, mtime=Fri Dec 20 17:04:01 2024, atime=Fri Dec 20 17:04:01 2024, length=43008, window=hide
Category:	dropped
Size (bytes):	781
Entropy (8bit):	5.0573793615419715
Encrypted:	false
SSDEEP:	12:8aern+4M2tWCFIXdY//olveLLsd/oyjAxBrHyx69UNlpaHlHIBmV:8xrLMvXX+Mv40gOAxB0LlpaHlHIBm
MD5:	FBDC89AF660B1A2ED3FDEB8208EA2556
SHA1:	96F90056315C5099E3F321B5C0261DFC41B700F4
SHA-256:	5CD1480FEE4B70554C5EAFB235CCA42C9B1FA314C4BADDD8EEB0ED9760E2188A
SHA-512:	2B805A6BE8AAAF61F2C576D543D838DF311C67A09C47235CD8FFB7B935666DCECAB807C702123DA1EB00D95CDEBF5BBA91A7CCBA66186301A05C1C450E316484
Malicious:	false
Reputation:	low
Preview:	L..................F.... ....`}..S...`}..S...`}..S..........................~.:..DG..Yr?.D..U..k0.&...&......vk.v........S..2....S......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y\|............................%..A.p.p.D.a.t.a...B.V.1......Yz...Roaming.@......CW.^.Yz...............................R.o.a.m.i.n.g.....j.2......Y.. .$77SVC~1.EXE..N......Y...Y.............................tU.$.7.7.s.v.c.h.o.s.t...e.x.e.......\...............-.......[............p:......C:\Users\user\AppData\Roaming\$77svchost.exe........\.....\.....\.....\.....\.$.7.7.s.v.c.h.o.s.t...e.x.e.`.......X.......701188...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.740482218883961
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	dr2YKJiGH9.exe
File size:	43'008 bytes
MD5:	3f274a8a97f22ca6c3eec0d2da85306f
SHA1:	708fd86e458df8e1246bbaf813037a2f7424d11d
SHA256:	c8856be839712fe0022a473cd52de6be3473e5397b8c14f3227741271ab3285b
SHA512:	7604f1fa42090562fe8967a92509a042b5b98e7c550dc758253936d3340d566546c79af9b0e5f4c8f14dd70c0fdaa5e8aff247d8b534de3d63b161ada10da654
SSDEEP:	768:boP1CHDCozW8kSC0mqC8dtyi2Xejkv/GwvokbyG1h1BO1hWL/L:28mozbbxLlk2wAkbyG1TBO1AP
TLSH:	5D135B4CB7918639D5FE4FB518B26226C73EE5074913DA6F28E840DB2B27ACDCA007D5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....dg................................. ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40bcce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6764D6E1 [Fri Dec 20 02:30:57 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc80	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x4be	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9cd4	0x9e00	6be5148210ff061f7585a622aa93f815	False	0.548407832278481	data	5.866550312518641	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x4be	0x600	d5731052948420da11db1618bd0abc62	False	0.3697916666666667	data	3.6852966482268834	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xc	0x200	86efae7cf19562fe1f7fc42769d6a3c8	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xc0a0	0x234	data			0.46808510638297873
RT_MANIFEST	0xc2d4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-20T19:04:17.147678+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	49730	147.185.221.23	21083	TCP
2024-12-20T19:06:28.049346+0100	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	49929	147.185.221.23	21083	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 19:04:02.820810080 CET	49730	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:04:02.941319942 CET	21083	49730	147.185.221.23	192.168.2.4
Dec 20, 2024 19:04:02.941538095 CET	49730	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:04:03.474805117 CET	49730	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:04:03.594465971 CET	21083	49730	147.185.221.23	192.168.2.4
Dec 20, 2024 19:04:17.147677898 CET	49730	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:04:17.267961025 CET	21083	49730	147.185.221.23	192.168.2.4
Dec 20, 2024 19:04:24.849410057 CET	21083	49730	147.185.221.23	192.168.2.4
Dec 20, 2024 19:04:24.849504948 CET	49730	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:04:25.141392946 CET	49730	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:04:25.142864943 CET	49737	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:04:25.261107922 CET	21083	49730	147.185.221.23	192.168.2.4
Dec 20, 2024 19:04:25.262944937 CET	21083	49737	147.185.221.23	192.168.2.4
Dec 20, 2024 19:04:25.263076067 CET	49737	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:04:25.293694019 CET	49737	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:04:25.413563013 CET	21083	49737	147.185.221.23	192.168.2.4
Dec 20, 2024 19:04:38.845468998 CET	49737	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:04:38.966294050 CET	21083	49737	147.185.221.23	192.168.2.4
Dec 20, 2024 19:04:47.161662102 CET	21083	49737	147.185.221.23	192.168.2.4
Dec 20, 2024 19:04:47.161802053 CET	49737	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:04:48.157000065 CET	49737	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:04:48.158335924 CET	49738	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:04:48.276634932 CET	21083	49737	147.185.221.23	192.168.2.4
Dec 20, 2024 19:04:48.278083086 CET	21083	49738	147.185.221.23	192.168.2.4
Dec 20, 2024 19:04:48.278182030 CET	49738	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:04:48.310838938 CET	49738	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:04:48.430502892 CET	21083	49738	147.185.221.23	192.168.2.4
Dec 20, 2024 19:05:00.532531023 CET	49738	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:00.652180910 CET	21083	49738	147.185.221.23	192.168.2.4
Dec 20, 2024 19:05:10.193308115 CET	21083	49738	147.185.221.23	192.168.2.4
Dec 20, 2024 19:05:10.193578959 CET	49738	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:11.391897917 CET	49738	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:11.393064976 CET	49771	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:11.511554956 CET	21083	49738	147.185.221.23	192.168.2.4
Dec 20, 2024 19:05:11.512592077 CET	21083	49771	147.185.221.23	192.168.2.4
Dec 20, 2024 19:05:11.512701988 CET	49771	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:11.549726009 CET	49771	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:11.669361115 CET	21083	49771	147.185.221.23	192.168.2.4
Dec 20, 2024 19:05:11.720081091 CET	49771	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:11.839708090 CET	21083	49771	147.185.221.23	192.168.2.4
Dec 20, 2024 19:05:11.839787006 CET	49771	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:11.959419012 CET	21083	49771	147.185.221.23	192.168.2.4
Dec 20, 2024 19:05:14.899158955 CET	49771	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:15.018868923 CET	21083	49771	147.185.221.23	192.168.2.4
Dec 20, 2024 19:05:16.391906023 CET	49771	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:16.511385918 CET	21083	49771	147.185.221.23	192.168.2.4
Dec 20, 2024 19:05:27.438471079 CET	49771	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:27.558104038 CET	21083	49771	147.185.221.23	192.168.2.4
Dec 20, 2024 19:05:27.558171988 CET	49771	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:27.677972078 CET	21083	49771	147.185.221.23	192.168.2.4
Dec 20, 2024 19:05:27.678047895 CET	49771	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:27.797619104 CET	21083	49771	147.185.221.23	192.168.2.4
Dec 20, 2024 19:05:33.297838926 CET	49771	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:33.417820930 CET	21083	49771	147.185.221.23	192.168.2.4
Dec 20, 2024 19:05:33.428320885 CET	21083	49771	147.185.221.23	192.168.2.4
Dec 20, 2024 19:05:33.428389072 CET	49771	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:33.428514957 CET	49771	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:33.429795027 CET	49822	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:33.548069954 CET	21083	49771	147.185.221.23	192.168.2.4
Dec 20, 2024 19:05:33.549415112 CET	21083	49822	147.185.221.23	192.168.2.4
Dec 20, 2024 19:05:33.549602985 CET	49822	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:33.608285904 CET	49822	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:33.727951050 CET	21083	49822	147.185.221.23	192.168.2.4
Dec 20, 2024 19:05:36.720115900 CET	49822	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:36.839864016 CET	21083	49822	147.185.221.23	192.168.2.4
Dec 20, 2024 19:05:43.079302073 CET	49822	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:43.198983908 CET	21083	49822	147.185.221.23	192.168.2.4
Dec 20, 2024 19:05:44.110393047 CET	49822	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:44.230739117 CET	21083	49822	147.185.221.23	192.168.2.4
Dec 20, 2024 19:05:44.907443047 CET	49822	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:45.027064085 CET	21083	49822	147.185.221.23	192.168.2.4
Dec 20, 2024 19:05:49.251158953 CET	49822	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:49.373322010 CET	21083	49822	147.185.221.23	192.168.2.4
Dec 20, 2024 19:05:49.373373032 CET	49822	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:49.493264914 CET	21083	49822	147.185.221.23	192.168.2.4
Dec 20, 2024 19:05:49.493315935 CET	49822	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:49.612909079 CET	21083	49822	147.185.221.23	192.168.2.4
Dec 20, 2024 19:05:55.444000006 CET	21083	49822	147.185.221.23	192.168.2.4
Dec 20, 2024 19:05:55.444120884 CET	49822	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:59.688319921 CET	49822	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:59.690438986 CET	49879	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:59.854929924 CET	21083	49822	147.185.221.23	192.168.2.4
Dec 20, 2024 19:05:59.854948997 CET	21083	49879	147.185.221.23	192.168.2.4
Dec 20, 2024 19:05:59.855034113 CET	49879	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:05:59.903527975 CET	49879	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:00.024003029 CET	21083	49879	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:00.110409975 CET	49879	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:00.230520964 CET	21083	49879	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:00.235462904 CET	49879	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:00.355159998 CET	21083	49879	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:00.357402086 CET	49879	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:00.481359005 CET	21083	49879	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:00.751342058 CET	49879	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:00.871058941 CET	21083	49879	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:06.016721010 CET	49879	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:06.137022972 CET	21083	49879	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:17.549324989 CET	49879	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:17.719367981 CET	21083	49879	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:18.676057100 CET	49879	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:18.795835018 CET	21083	49879	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:21.772607088 CET	21083	49879	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:21.772747993 CET	49879	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:22.047899008 CET	49879	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:22.051522017 CET	49929	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:22.167707920 CET	21083	49879	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:22.171092033 CET	21083	49929	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:22.171399117 CET	49929	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:22.338340044 CET	49929	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:22.458240032 CET	21083	49929	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:22.458287001 CET	49929	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:22.577853918 CET	21083	49929	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:22.577903032 CET	49929	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:22.697642088 CET	21083	49929	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:22.697691917 CET	49929	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:22.817291021 CET	21083	49929	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:27.454843998 CET	49929	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:27.574476004 CET	21083	49929	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:28.049345970 CET	49929	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:28.169353008 CET	21083	49929	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:28.169624090 CET	49929	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:28.289436102 CET	21083	49929	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:29.844793081 CET	49929	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:29.964500904 CET	21083	49929	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:33.188649893 CET	49929	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:33.308391094 CET	21083	49929	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:33.308459044 CET	49929	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:33.428417921 CET	21083	49929	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:37.063608885 CET	49929	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:37.183295012 CET	21083	49929	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:38.360611916 CET	49929	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:38.480500937 CET	21083	49929	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:41.266860008 CET	49929	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:41.387161016 CET	21083	49929	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:44.069622040 CET	21083	49929	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:44.069703102 CET	49929	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:48.464809895 CET	49929	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:48.472106934 CET	49990	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:48.584585905 CET	21083	49929	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:48.591828108 CET	21083	49990	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:48.591895103 CET	49990	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:48.717777014 CET	49990	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:48.837582111 CET	21083	49990	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:54.938872099 CET	49990	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:55.060672998 CET	21083	49990	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:55.060733080 CET	49990	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:55.185141087 CET	21083	49990	147.185.221.23	192.168.2.4
Dec 20, 2024 19:06:55.185194969 CET	49990	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:06:55.304889917 CET	21083	49990	147.185.221.23	192.168.2.4
Dec 20, 2024 19:07:01.251245975 CET	49990	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:07:01.373411894 CET	21083	49990	147.185.221.23	192.168.2.4
Dec 20, 2024 19:07:01.373461962 CET	49990	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:07:01.493423939 CET	21083	49990	147.185.221.23	192.168.2.4
Dec 20, 2024 19:07:05.861351967 CET	49990	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:07:05.981237888 CET	21083	49990	147.185.221.23	192.168.2.4
Dec 20, 2024 19:07:10.476593971 CET	21083	49990	147.185.221.23	192.168.2.4
Dec 20, 2024 19:07:10.477746010 CET	49990	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:07:11.391782999 CET	49990	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:07:11.393351078 CET	50010	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:07:11.511466026 CET	21083	49990	147.185.221.23	192.168.2.4
Dec 20, 2024 19:07:11.512839079 CET	21083	50010	147.185.221.23	192.168.2.4
Dec 20, 2024 19:07:11.512914896 CET	50010	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:07:11.551282883 CET	50010	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:07:11.670970917 CET	21083	50010	147.185.221.23	192.168.2.4
Dec 20, 2024 19:07:21.907499075 CET	50010	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:07:22.028373003 CET	21083	50010	147.185.221.23	192.168.2.4
Dec 20, 2024 19:07:22.028441906 CET	50010	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:07:22.148075104 CET	21083	50010	147.185.221.23	192.168.2.4
Dec 20, 2024 19:07:22.392316103 CET	50010	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:07:22.512079954 CET	21083	50010	147.185.221.23	192.168.2.4
Dec 20, 2024 19:07:33.414602041 CET	21083	50010	147.185.221.23	192.168.2.4
Dec 20, 2024 19:07:33.414752960 CET	50010	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:07:33.415853024 CET	50010	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:07:33.419171095 CET	50011	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:07:33.535367012 CET	21083	50010	147.185.221.23	192.168.2.4
Dec 20, 2024 19:07:33.538692951 CET	21083	50011	147.185.221.23	192.168.2.4
Dec 20, 2024 19:07:33.538820982 CET	50011	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:07:33.858999968 CET	50011	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:07:33.978651047 CET	21083	50011	147.185.221.23	192.168.2.4
Dec 20, 2024 19:07:34.438730001 CET	50011	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:07:34.558698893 CET	21083	50011	147.185.221.23	192.168.2.4
Dec 20, 2024 19:07:34.558744907 CET	50011	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:07:34.679554939 CET	21083	50011	147.185.221.23	192.168.2.4
Dec 20, 2024 19:07:34.679688931 CET	50011	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:07:34.799444914 CET	21083	50011	147.185.221.23	192.168.2.4
Dec 20, 2024 19:07:34.799499035 CET	50011	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:07:34.919368982 CET	21083	50011	147.185.221.23	192.168.2.4
Dec 20, 2024 19:07:34.919415951 CET	50011	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:07:35.039104939 CET	21083	50011	147.185.221.23	192.168.2.4
Dec 20, 2024 19:07:49.438843966 CET	50011	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:07:49.561114073 CET	21083	50011	147.185.221.23	192.168.2.4
Dec 20, 2024 19:07:55.188832998 CET	50011	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:07:55.308681011 CET	21083	50011	147.185.221.23	192.168.2.4
Dec 20, 2024 19:07:55.446707964 CET	21083	50011	147.185.221.23	192.168.2.4
Dec 20, 2024 19:07:55.446774960 CET	50011	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:07:55.446844101 CET	50011	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:07:55.448461056 CET	50012	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:07:55.566437960 CET	21083	50011	147.185.221.23	192.168.2.4
Dec 20, 2024 19:07:55.568121910 CET	21083	50012	147.185.221.23	192.168.2.4
Dec 20, 2024 19:07:55.568260908 CET	50012	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:07:55.657438993 CET	50012	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:07:55.777340889 CET	21083	50012	147.185.221.23	192.168.2.4
Dec 20, 2024 19:08:00.907426119 CET	50012	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:08:01.027451038 CET	21083	50012	147.185.221.23	192.168.2.4
Dec 20, 2024 19:08:01.298417091 CET	50012	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:08:01.418471098 CET	21083	50012	147.185.221.23	192.168.2.4
Dec 20, 2024 19:08:03.062032938 CET	50012	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:08:03.181899071 CET	21083	50012	147.185.221.23	192.168.2.4
Dec 20, 2024 19:08:17.446486950 CET	21083	50012	147.185.221.23	192.168.2.4
Dec 20, 2024 19:08:17.446635962 CET	50012	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:08:25.282305956 CET	50012	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:08:25.282948017 CET	50013	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:08:25.402345896 CET	21083	50012	147.185.221.23	192.168.2.4
Dec 20, 2024 19:08:25.402456045 CET	21083	50013	147.185.221.23	192.168.2.4
Dec 20, 2024 19:08:25.402546883 CET	50013	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:08:25.430473089 CET	50013	21083	192.168.2.4	147.185.221.23
Dec 20, 2024 19:08:25.550050974 CET	21083	50013	147.185.221.23	192.168.2.4

Target ID:	0
Start time:	13:03:57
Start date:	20/12/2024
Path:	C:\Users\user\Desktop\dr2YKJiGH9.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\dr2YKJiGH9.exe"
Imagebase:	0x660000
File size:	43'008 bytes
MD5 hash:	3F274A8A97F22CA6C3EEC0D2DA85306F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1669084801.0000000000662000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1669084801.0000000000662000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	13:04:01
Start date:	20/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77svchost" /tr "C:\Users\user\AppData\Roaming\$77svchost.exe"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:04:01
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:04:03
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Roaming\$77svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\$77svchost.exe
Imagebase:	0x470000
File size:	43'008 bytes
MD5 hash:	3F274A8A97F22CA6C3EEC0D2DA85306F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\$77svchost.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\$77svchost.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 76%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:04:09
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Roaming\$77svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\$77svchost.exe"
Imagebase:	0x1f0000
File size:	43'008 bytes
MD5 hash:	3F274A8A97F22CA6C3EEC0D2DA85306F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:04:18
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Roaming\$77svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\$77svchost.exe"
Imagebase:	0xa20000
File size:	43'008 bytes
MD5 hash:	3F274A8A97F22CA6C3EEC0D2DA85306F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:05:01
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Roaming\$77svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\$77svchost.exe
Imagebase:	0x4f0000
File size:	43'008 bytes
MD5 hash:	3F274A8A97F22CA6C3EEC0D2DA85306F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:06:01
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Roaming\$77svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\$77svchost.exe
Imagebase:	0xae0000
File size:	43'008 bytes
MD5 hash:	3F274A8A97F22CA6C3EEC0D2DA85306F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:07:00
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Roaming\$77svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\$77svchost.exe
Imagebase:	0xae0000
File size:	43'008 bytes
MD5 hash:	3F274A8A97F22CA6C3EEC0D2DA85306F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:08:00
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Roaming\$77svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\$77svchost.exe
Imagebase:	0x940000
File size:	43'008 bytes
MD5 hash:	3F274A8A97F22CA6C3EEC0D2DA85306F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00007FFD9B8B1249 Relevance: 2.0, Strings: 1, Instructions: 788COMMON

Download Yara Rule

Strings

SAL_^, xrefs: 00007FFD9B8B14E1

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID: SAL_^
API String ID: 0-3687847113
Opcode ID: b3d24cd5c9e3f8538dbb97a496509e460027124065ba686140b011627564c330
Instruction ID: 0893722f5cd2637a3ddcec65a459108b90c00231c570cb41f7540f1da874350f
Opcode Fuzzy Hash: b3d24cd5c9e3f8538dbb97a496509e460027124065ba686140b011627564c330
Instruction Fuzzy Hash: 7632D561B29A594FEB98FB7C9865AB977D2FF9C300F40057DE01DC32D6DE28A8018781

Function 00007FFD9B8B1289 Relevance: 1.9, Strings: 1, Instructions: 638COMMON

Download Yara Rule

Strings

SAL_^, xrefs: 00007FFD9B8B14E1

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID: SAL_^
API String ID: 0-3687847113
Opcode ID: 217ac3b5fae82fd049f2bde470162d5f9ac5a419e62a80e42817c7844fec7f3a
Instruction ID: 6efebdf91b527bbb029fea6a3717bb4c99772d5c946a557069efbc3311dad98e
Opcode Fuzzy Hash: 217ac3b5fae82fd049f2bde470162d5f9ac5a419e62a80e42817c7844fec7f3a
Instruction Fuzzy Hash: 7912B461B29A594FEBA8F77C9875ABC76D2FF9C300F4405B9E01DC72D6DD28A8018781

Function 00007FFD9B8B7376 Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ee13592a878da0e298ba47b20a63cf0a4d1c4e71d87e3301004743051c8ae1
Instruction ID: 5398cf39b0c5770936ad451ceddbba3e922b379f86267dd92967b63ebdbf7841
Opcode Fuzzy Hash: 43ee13592a878da0e298ba47b20a63cf0a4d1c4e71d87e3301004743051c8ae1
Instruction Fuzzy Hash: F2F1B530A0DA4D4FEBA8DF28D855BE937D1FF59310F04426EE85DC72A5CB34A9458B82

Function 00007FFD9B8B8122 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b9cc86d7124c0dfe4be26845f5bb240fee898575e870caa6452792a79148f8
Instruction ID: 956ba03379e2b4ff5525b13a90edfb8292891304dcee9355d20ab28063d7d511
Opcode Fuzzy Hash: b4b9cc86d7124c0dfe4be26845f5bb240fee898575e870caa6452792a79148f8
Instruction Fuzzy Hash: 93F1E430A0DA4E4FEBA8DF68C8657F977D1FF58310F04426AD84DC72A5DA34A9428BC1

Function 00007FFD9B8B247F Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B8B8A63

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: c1e5d295beb69d58429fbb7a02a5af1a7afdc162c44a0c4fd32b9f5fd7954e2d
Instruction ID: fe6b0039941bb649082a252c68af794f07d037a87c67ad5adb2e58ec069bb1c5
Opcode Fuzzy Hash: c1e5d295beb69d58429fbb7a02a5af1a7afdc162c44a0c4fd32b9f5fd7954e2d
Instruction Fuzzy Hash: 5711CA31E0D53E8AEF24ABB888156FD77A0EF4D314F01013BD95DE3190DA3965558BD2

Function 00007FFD9B8B8A01 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B8B8A63

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 9aa21a6f119a79cd7944eae1fb2292d0879b4d3cde358ba452be18c142b0d6c9
Instruction ID: 1a7bf418f200b81e84a39f1b1c008e09fb47633a28af3498ddfb3a82b7662223
Opcode Fuzzy Hash: 9aa21a6f119a79cd7944eae1fb2292d0879b4d3cde358ba452be18c142b0d6c9
Instruction Fuzzy Hash: 74110831E0D26D4FDF109BB488551FD7BB0EF49300F06027BC909E6191DB38954587D2

Function 00007FFD9B8B28E9 Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

SAL_^, xrefs: 00007FFD9B8B2906

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID: SAL_^
API String ID: 0-3687847113
Opcode ID: 85f343e2dbac094190230c17595ef5ffda5b98699371982cd688c7767a498dbf
Instruction ID: 5e65f7a06bbcd5774e9b13b5a806ec4993f473aa2d43ef1fe7cc3406e1eb0fdf
Opcode Fuzzy Hash: 85f343e2dbac094190230c17595ef5ffda5b98699371982cd688c7767a498dbf
Instruction Fuzzy Hash: 95F0A420F1D12E46E738ABB95831EBD25925F88320F450578D01D871EADE3CE90146C1

Function 00007FFD9B8B9005 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fc4d963988e0bc061a2e244284c45ab54352fb1235b4ee83b0380e034b1cbe8
Instruction ID: 186f154ed19e8459461eb0543d58f7698e5d103a63ca66a8f0922b23f9942814
Opcode Fuzzy Hash: 1fc4d963988e0bc061a2e244284c45ab54352fb1235b4ee83b0380e034b1cbe8
Instruction Fuzzy Hash: DCC14931F1D95E4FEB69EB7888696B877E1EF49310F0105B9E01DC31E6CE2CA9468781

Function 00007FFD9B8B7D36 Relevance: .4, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02790e16a0cf14f09815ed351eaab5653704628e550398088becb1be07c08b02
Instruction ID: 58b38021b50846c9fa2af05600cb8ada52649d7377b80baab0c852eaae3ae551
Opcode Fuzzy Hash: 02790e16a0cf14f09815ed351eaab5653704628e550398088becb1be07c08b02
Instruction Fuzzy Hash: D4B1C63060DB4D4FEB69DF28D8557F93BD1EF59310F04426EE84DC72A6CA34A9458B82

Function 00007FFD9B8B32D5 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de2202fe0e3ec0910d2cfc413c28b783e04ecbc3c2e3b7bbcae81073d7681d4d
Instruction ID: 00c5a2b9ab7392bd82deb4279db5b886b1b5f2ee79fe2c8236bffcae54e86276
Opcode Fuzzy Hash: de2202fe0e3ec0910d2cfc413c28b783e04ecbc3c2e3b7bbcae81073d7681d4d
Instruction Fuzzy Hash: 55411761B1DA5E0FE75AA77C5835AB86BE2EF99300F4501BEE049C73D7DE285C028781

Function 00007FFD9B8B37F5 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59aa4e480d48713398c3b51764418995c13ac5fe1d88abf2f83d8043596f898e
Instruction ID: 59b031bef6acb1df286d4a05f968f3e53b5cd4c4bb092d6d7840a6807c7896db
Opcode Fuzzy Hash: 59aa4e480d48713398c3b51764418995c13ac5fe1d88abf2f83d8043596f898e
Instruction Fuzzy Hash: 7B71D66072C9598BE749F7BCA865BB5B7D2FF98300F1005BAE01DC36D6DD28A802C752

Function 00007FFD9B8B3567 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c32af609c40ac5dd591d6a5b5fbfa780beea1007fd00c958a281466e428f4b1
Instruction ID: 802a4786b61f95bfafe4f149bd2597acad99681ea816606318f0da5581efd04c
Opcode Fuzzy Hash: 2c32af609c40ac5dd591d6a5b5fbfa780beea1007fd00c958a281466e428f4b1
Instruction Fuzzy Hash: FD514762B1DD5E0FE7ACE73C54696B9B2D2EF9C390B04027ED04EC32D6DD2869428781

Function 00007FFD9B8B55FD Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 350227f4799d032d9f253194afe02eec5525e83a09d507f7c195e23271806a35
Instruction ID: ecdec322d466671c18cd1a5dd9a2a72697f225bcf2b345262ecb283d0583c68b
Opcode Fuzzy Hash: 350227f4799d032d9f253194afe02eec5525e83a09d507f7c195e23271806a35
Instruction Fuzzy Hash: E161C370A08A1C8FDB98DF68C855BEDB7F1FF58310F1042AED44DD3292DA35A8468B81

Function 00007FFD9B8B8ADD Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a826a1aeffc7838748a20bd826d29c2571237330de23a7729d8c53fcfdb7d804
Instruction ID: f1a6607ae0c074a0ae35f9ba363b6564b71b2d47d05042d28ccebe6725e3f653
Opcode Fuzzy Hash: a826a1aeffc7838748a20bd826d29c2571237330de23a7729d8c53fcfdb7d804
Instruction Fuzzy Hash: 3A51D570A18A1C4FDB58EF68D855BEDBBF1FF58311F1042AAD04DD3296DA34A942CB81

Function 00007FFD9B8B91E5 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f86739f8e8d954b725c72ea3e0310a2fe982fd018320c0477152eee49d4314
Instruction ID: feb564c53e000330bea0eb689d24e5d7cdcf0116aa265f941f00a02ac0780ba6
Opcode Fuzzy Hash: 84f86739f8e8d954b725c72ea3e0310a2fe982fd018320c0477152eee49d4314
Instruction Fuzzy Hash: 2F618F30F1D95E8FDBA4EB789869ABC77E1FF89300F410479E41DC31A6DE2869418B81

Function 00007FFD9B8B0DF0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cffb977f80a4ac1aff9ca16dfe90ae9a2c44c4bf188988fc77a7280f999eeb65
Instruction ID: 6765c7d4d20cb808ea04bb20e642edc8b5d7d55d2135ac63114ac32dca2bfefc
Opcode Fuzzy Hash: cffb977f80a4ac1aff9ca16dfe90ae9a2c44c4bf188988fc77a7280f999eeb65
Instruction Fuzzy Hash: 935178607289198BE749F77C9865FB9B2D2FF98300F50057AE01DC36D6DD28F8418752

Function 00007FFD9B8B486C Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78bbc129e95d90fdc1b4e064889551112fbae616827cd4c7d2c9904326dc0fc3
Instruction ID: 48fc63a3b4b0d223977f72e308dd9aa7154fd62336f53b8115ccbab086c47a35
Opcode Fuzzy Hash: 78bbc129e95d90fdc1b4e064889551112fbae616827cd4c7d2c9904326dc0fc3
Instruction Fuzzy Hash: 3A519431908A1C8FDB68DF58D855BE9B7F1FF59310F0482AAD00DD3292DE34A9858F81

Function 00007FFD9B8B9ABA Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 111f4c74577b19f8adee9b3510c4673609be36c791daa62f4c4c7a97e71f5348
Instruction ID: 59bbe6e0c3660361e52d4d6c9de1920b2e96a4e9a3b06e344f33bf63e8f8028d
Opcode Fuzzy Hash: 111f4c74577b19f8adee9b3510c4673609be36c791daa62f4c4c7a97e71f5348
Instruction Fuzzy Hash: 5D510730A0D66D8FD758DF68D869AF97BE0EF55321F0441BED04DC31A2DB28A446CB91

Function 00007FFD9B8B2D38 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71fdc95f40857bb59e622a99bddddeaf3a6226aedd6629c449a90dd2b4ad284e
Instruction ID: df8cfec914e0950c81f12f6aedd711971053193727db37e4e4a173fbf6ef1bbb
Opcode Fuzzy Hash: 71fdc95f40857bb59e622a99bddddeaf3a6226aedd6629c449a90dd2b4ad284e
Instruction Fuzzy Hash: FC513B30E0D68A4FEB56DBB458316A57FA0EF5A310F1902FAD059C71E7CE2C6846C791

Function 00007FFD9B8B94CD Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdbe0fea0af2c9e20b692f21a814d7249aa38b5b677aa81a5c55db7d233d19b6
Instruction ID: 9a1bc0a1cdf5a0ec0f2c6604c4146927cd2faca68b02b31cb2244a54a99301a7
Opcode Fuzzy Hash: bdbe0fea0af2c9e20b692f21a814d7249aa38b5b677aa81a5c55db7d233d19b6
Instruction Fuzzy Hash: 51510A31B4955C4FDB59EB789869AF977E1EF49310F0604BAE00DC72E2CD28AD82C741

Function 00007FFD9B8B0E10 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f792f237d4813b890f029b5dba805060b9328a255ca3935b810cea8a5f7644b
Instruction ID: 7fe19392dd9769a3b9e2a0ddc1686e1e18772fef892e9ceab68a5d4e2115f08a
Opcode Fuzzy Hash: 7f792f237d4813b890f029b5dba805060b9328a255ca3935b810cea8a5f7644b
Instruction Fuzzy Hash: 99514F30F2991D9FDB98EB68D865ABC73E1FF8C304F514479E41DD3296CE24A9418B81

Function 00007FFD9B8B923F Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d60f6d261bd296025dc6b13586cb9793128fc283cf6d5c97b881633cd070d206
Instruction ID: d4b0523c569ea8a33f66b2d84df8adb67ba43f33b6a0d7d60c707c2d9fbe5253
Opcode Fuzzy Hash: d60f6d261bd296025dc6b13586cb9793128fc283cf6d5c97b881633cd070d206
Instruction Fuzzy Hash: D351B330F1D95D5FEB95EB78D865AB87BE1EF49300F1504BAE409C31E6CE2869428B41

Function 00007FFD9B8B2A95 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b015c4706c41b0add73a5d11767bf6e8b3f59f138b1518d9be2d69d7d029a4
Instruction ID: a4e49fc8ed54711c8ca4d634bf1363cd10e114220c1de43490ac91c565947715
Opcode Fuzzy Hash: 87b015c4706c41b0add73a5d11767bf6e8b3f59f138b1518d9be2d69d7d029a4
Instruction Fuzzy Hash: 99517274A0DA2D8FDBA9EF68D469AB97BE0FB58311F01017ED00AC36A1CB75D841CB41

Function 00007FFD9B8B0620 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d73fd55558783f31ffe83ed66295df40df8ec6723d30e09af23f04277a76cb
Instruction ID: 8efc905451955a7c452ea3c3893759e33249706f6e09ffc06154d66dd03e7e0e
Opcode Fuzzy Hash: 94d73fd55558783f31ffe83ed66295df40df8ec6723d30e09af23f04277a76cb
Instruction Fuzzy Hash: CB414C21F2DA5A4FE3A9B73C483697977D1DF8A614B1900BBD44DC32EBDD186C428392

Function 00007FFD9B8B0BFE Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97efc04dcb4a12b9f3b9537bc60e868000b00bc865c6c331d10c1dac18a99e02
Instruction ID: 3c30e3bb276a3794ab14a7a46d07582a737bde58641a3faf5677b344df9aaeed
Opcode Fuzzy Hash: 97efc04dcb4a12b9f3b9537bc60e868000b00bc865c6c331d10c1dac18a99e02
Instruction Fuzzy Hash: DD412821F1DA9A0FE7A9A77C583A57937D2DF8A614B0900BBD44DC71EBDD1C6C428382

Function 00007FFD9B8B0E50 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be24748776c38c16221efffa6a75a88457de203ec342f8aa8f923a318943dcc
Instruction ID: 9c70259644a887e63e36d3955c729845124a8de746c8b4f961f09b0fea87a781
Opcode Fuzzy Hash: 3be24748776c38c16221efffa6a75a88457de203ec342f8aa8f923a318943dcc
Instruction Fuzzy Hash: DC417274A09A2D8FDB99EFACD469AB977E0FB58311F00017ED00AD36A1CB75E841CB40

Function 00007FFD9B8B9520 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da4e78fbbf93127f73db25251c96fcc6f4877aad8d57fde7e2fd707776cb3160
Instruction ID: 259c2f916a99511ce40f275e0efcefc4ad5d968ee7a7a8efa3e743c5b24a3f1d
Opcode Fuzzy Hash: da4e78fbbf93127f73db25251c96fcc6f4877aad8d57fde7e2fd707776cb3160
Instruction Fuzzy Hash: 96415F31B1895C4FDB98EB78D869ABD77E2EF9C310F550479E00ED32A6DE24AC418781

Function 00007FFD9B8B8E41 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15d79aadc4ecc29fdeef00829f2603ba6ba2146aec49537e2a98416edc23d0b5
Instruction ID: 84cb57ddf591e5a040e0a8bf2a2fbff3f32113aff1711d2e7cb3bb682e22037b
Opcode Fuzzy Hash: 15d79aadc4ecc29fdeef00829f2603ba6ba2146aec49537e2a98416edc23d0b5
Instruction Fuzzy Hash: 66418331B0991D4FEB95EBB88469AFD77F2EF5D301B04017AD409D72A2DF2899428B50

Function 00007FFD9B8B0DE0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc3e0f59679c33c8655fc67c5c8de27efa0b7d8470c278e088faca31ad7067f
Instruction ID: 25381fead73bba51b8e565ec6cbb51f2fb937232989a0553e1f96b1f2eff7e60
Opcode Fuzzy Hash: 3dc3e0f59679c33c8655fc67c5c8de27efa0b7d8470c278e088faca31ad7067f
Instruction Fuzzy Hash: A8419231F0991D4BDBA8EFB89464ABD76E1EF58314F15017DD02ED32D6CE28A941CB81

Function 00007FFD9B8B0DE8 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc286fb73c289021c1e5028300dfa5a55d54729556ccbfe39a626da29b265fc9
Instruction ID: 87f24f0f24a264846b07368a0bc059be24dfbbe68585eb3543b565cc8e1891da
Opcode Fuzzy Hash: cc286fb73c289021c1e5028300dfa5a55d54729556ccbfe39a626da29b265fc9
Instruction Fuzzy Hash: 7A310961B1991D4BE79DA77C5479B7966D2EF98300F94057DE00DC33D6DE3868024781

Function 00007FFD9B8B0E15 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bd3756a8012b0e2a1d9834d1209c85f79dc037c774985817005abc7ae42e12c
Instruction ID: 8d5e489e62450e0088d05987788400caeadafc4fe81742c25b3500f79e6769bd
Opcode Fuzzy Hash: 9bd3756a8012b0e2a1d9834d1209c85f79dc037c774985817005abc7ae42e12c
Instruction Fuzzy Hash: C9313071B0991D9FEB94EB789469AFD77E2EF9C301B540439D40DE3291DF38A9428B80

Function 00007FFD9B8B0AB0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9d8eea299865eeb50c222f2bbae95c45cdc0575cc73123315628b534d90ce38
Instruction ID: d180fa901aee515da08d612571a0a007ab18d49745ac0cfd1d1b74ba30e0a8ef
Opcode Fuzzy Hash: b9d8eea299865eeb50c222f2bbae95c45cdc0575cc73123315628b534d90ce38
Instruction Fuzzy Hash: DA31B551F2491A4BEB98BBBC5C6A7FD66D2EF9C701F50017AE01DC32DAED1869014781

Function 00007FFD9B8B0949 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e704b29e3bef4bf4318ecb80888410261bb71172479961aaeb9ccbf99598cc58
Instruction ID: 9e1c206531d41d12b3681fa405f4eaf20c94033e6600057430f1e7dd7e89f2a9
Opcode Fuzzy Hash: e704b29e3bef4bf4318ecb80888410261bb71172479961aaeb9ccbf99598cc58
Instruction Fuzzy Hash: 4B31A470B18A5E8FEB49EBB89865AFDB7A1FF98300F500479D019D32D6DD386941C781

Function 00007FFD9B8B1C65 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3749ab668de5d16477e338e656c63d9bde7257996b47332fcef5637c630dab4c
Instruction ID: ee351ee4d988d8babcdfa3afd5b1a6e1047331bd1172a6e9b469e54eea98c5f4
Opcode Fuzzy Hash: 3749ab668de5d16477e338e656c63d9bde7257996b47332fcef5637c630dab4c
Instruction Fuzzy Hash: A0318421B1C9494FEB88EB2C986A778B6D2EF9C705F0545BEE04EC32D7DD689C418741

Function 00007FFD9B8B9E85 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba5401eb5b86b3974e4b83bbf044e1a46c7b092d4c42702194fca3805777d8e7
Instruction ID: 7a96796c7a976aca5241d6fd941172d25a38bf68aeda6c49d9f810ad16ed4bc2
Opcode Fuzzy Hash: ba5401eb5b86b3974e4b83bbf044e1a46c7b092d4c42702194fca3805777d8e7
Instruction Fuzzy Hash: 6931B33150D7488FD719DFA8D84AAEABBF0FF56320F0482AFD089C3562D764A40ACB51

Function 00007FFD9B8B1160 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 989a8389b1bda8aeb42a04e4d998e62d8cadef2e196bcef202305dc4fdc15df8
Instruction ID: 221dfe7cb442fbd0c0f11a893e2f7a9d5b39602a7f4064172c1da9ae3058b3da
Opcode Fuzzy Hash: 989a8389b1bda8aeb42a04e4d998e62d8cadef2e196bcef202305dc4fdc15df8
Instruction Fuzzy Hash: FC31E722A19A4E4FDB54EBAC9C711FDBBB1FF88350F400176D009DB1E6DE2429468781

Function 00007FFD9B8B966A Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 419bff421c9dafe53fafa0d3d3d0c32a8c6b823d9dd70a1a86e9b6edab21bd29
Instruction ID: 36cbfffac3883019c8bee7cb26809c72a1d07e1ba8c32eac3da1868bae45c3fe
Opcode Fuzzy Hash: 419bff421c9dafe53fafa0d3d3d0c32a8c6b823d9dd70a1a86e9b6edab21bd29
Instruction Fuzzy Hash: A821F721B0991D8FDB68AF7884A96BDB7E1EF59350F51057ED40EC32E6CE2459018781

Function 00007FFD9B8B9DA9 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f69906366d2a086d0b107e74bc91e8bd73496b799bde6480c29bf22cfd9aaa1d
Instruction ID: 281f2e3e536c9fd205d38d37c9a0d0621e50af637f75de3c6ece70bc67b806ea
Opcode Fuzzy Hash: f69906366d2a086d0b107e74bc91e8bd73496b799bde6480c29bf22cfd9aaa1d
Instruction Fuzzy Hash: AE218B30B4E59E4FE756DBB848269F937E1EF89200F0501BAD489C72A2CD1C9A4287C1

Function 00007FFD9B8B9C91 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5ab3429d4606d10db12032f7bf9996248115c6ed811cf054473268787f43d6
Instruction ID: 0fd7ea01fce2eb62ab6a947fa1f91b94a314e27b793b5e645bc6c871e2fa630f
Opcode Fuzzy Hash: 1d5ab3429d4606d10db12032f7bf9996248115c6ed811cf054473268787f43d6
Instruction Fuzzy Hash: 8421D450B1DA694AEB0AB7BC6835BF877D2EF49710F5405BAE019C31C7DC18A9018392

Function 00007FFD9B8B3AA5 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ade3dcdf224ab817bd682c62fd5a02929162e56e8d3d7313a756703599fc351
Instruction ID: 16787f1a74a055100bbdb744fff9e8f735c4d5d7bb9c77fc871d315ba2157ff4
Opcode Fuzzy Hash: 6ade3dcdf224ab817bd682c62fd5a02929162e56e8d3d7313a756703599fc351
Instruction Fuzzy Hash: DC11125072881D87EB4D77ED7962BF9A1C7EFD8700F540176E019C32DBDC58A9029252

Function 00007FFD9B8B297D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb581506dcfff1144ccb17e68c71ac754eaf130aca02dac0384b65fceaeafced
Instruction ID: cf829e2f803bf6a92bbc01bb02dcaa60824ed9ec0ca32d928a5eaf21196cf0f8
Opcode Fuzzy Hash: eb581506dcfff1144ccb17e68c71ac754eaf130aca02dac0384b65fceaeafced
Instruction Fuzzy Hash: A311C2B190D6AC4FEB99DFB89869AB97FE0FF99200F4440BFD04DC71A2DA7451458740

Function 00007FFD9B8B8880 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4c311593a964dd7dca489565e56c995d1c5025db66ada0ea4ecc86fd05fffd9
Instruction ID: b4db8c1161ede8e3fea58517be1f9ab0304b1b7c116aff7446015fb54d1c25ad
Opcode Fuzzy Hash: b4c311593a964dd7dca489565e56c995d1c5025db66ada0ea4ecc86fd05fffd9
Instruction Fuzzy Hash: 29114831F1896E0FEB61E76C5855ABD77A1EB49314F0502B2E40CD3192DE28290247D1

Function 00007FFD9B8B21CD Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 355863d710bad85263ed2b617ae976e8ab5b81df5f9614fa29c2d050130e8af1
Instruction ID: d07e25726b355b393996082e66880700717555fe1e13da8eeac9caa66a58a2b1
Opcode Fuzzy Hash: 355863d710bad85263ed2b617ae976e8ab5b81df5f9614fa29c2d050130e8af1
Instruction Fuzzy Hash: 4E110222F0985D0EEB50AFB89C2A1FD7BA0EF64310F400077D918C7196DE246A4587C2

Function 00007FFD9B8B8D69 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd97e001cd0f5f9594372ec8644b3d608bfbb8e382e3117c15711592bc6f6bb4
Instruction ID: 3416aeca6b0c34dc2113b7add4ef1179539d743ecdf054264aea626c81003a72
Opcode Fuzzy Hash: cd97e001cd0f5f9594372ec8644b3d608bfbb8e382e3117c15711592bc6f6bb4
Instruction Fuzzy Hash: 15110C30769929DFEB85FB3CC4A5EB933E1FB5830175004B5D809C3695DE34B8818B85

Function 00007FFD9B8B1DD1 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96659bc82b28c636ca4f2c9b1857cc081fc8a7d6b995514b2f5e320a7cbdfd0c
Instruction ID: 4f5b53a9ab85c8abe8bd25774499221c94adbbb58198c92f49172ba70c025773
Opcode Fuzzy Hash: 96659bc82b28c636ca4f2c9b1857cc081fc8a7d6b995514b2f5e320a7cbdfd0c
Instruction Fuzzy Hash: 94010451A1E7D60FE35797385C354687FA09F6729474E00FBD088CF0E7D908A9898392

Function 00007FFD9B8B1D61 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcc58f1083ee68afd41e2ed23597062ad0cdc8b8520435a560c2ba57c92d231b
Instruction ID: fa8ab9818e269f3d58174cb685566f7094b39a9f5e4914b9fc64be1879e9712b
Opcode Fuzzy Hash: dcc58f1083ee68afd41e2ed23597062ad0cdc8b8520435a560c2ba57c92d231b
Instruction Fuzzy Hash: 06012811A1EBA90EE762A73C58654717FE0DF96640B0906BFD488CB1E7D9046A8583C2

Function 00007FFD9B8B2721 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9034752408464abf815d8c496155056df5f76403586337c3f50d0e1782319901
Instruction ID: 09bcf5b3b246e1df04bbb29a542cdf9c929cf992c9e1a6b0823d2ae23f0e836f
Opcode Fuzzy Hash: 9034752408464abf815d8c496155056df5f76403586337c3f50d0e1782319901
Instruction Fuzzy Hash: 10F0122294F3DD5FDB235BB45C315A57F70AF47140B0A41EBD4888B0A3C61966198BD6

Function 00007FFD9B8B21F0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 130da39dcedb5f93512a602376040741afa71129937ec4ec0f89d2b317135335
Instruction ID: 8f36ac201445007e37ddc3c8931b1ff5e01d07b582082753573dc5e393d3ae89
Opcode Fuzzy Hash: 130da39dcedb5f93512a602376040741afa71129937ec4ec0f89d2b317135335
Instruction Fuzzy Hash: ADF08C32E0482D4EDB80ABA898195FEBBF0FF58305F00016AE419D3199DE34594487C1

Function 00007FFD9B8B2A1D Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 101ac15f09ad34415f7f298ebf6f6d81b35a9377310057c11720520844a0035b
Instruction ID: b040f82f8d865f216778111e28af39450345763b23f000954a796ca5bb503fb3
Opcode Fuzzy Hash: 101ac15f09ad34415f7f298ebf6f6d81b35a9377310057c11720520844a0035b
Instruction Fuzzy Hash: 8B012B11F0E6690FFB757BF818315782A91EF88300F1502BAD009C72E7DE1C68428782

Function 00007FFD9B8B2946 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f9cd4421cd6b595b8d2a2b662fd05ce343b5fdd2852392b3381779d45e883c2
Instruction ID: 8c48cac7360dced93c44d71a62cfba2e50693a761527e83af81855a714e93d49
Opcode Fuzzy Hash: 5f9cd4421cd6b595b8d2a2b662fd05ce343b5fdd2852392b3381779d45e883c2
Instruction Fuzzy Hash: 46D05B50F1851F06E7187B755C32D7E65825FC4750F554478E01ACB1CBEC7CE8010681

Function 00007FFD9B8B9C6E Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d77dcf105700f68276c9099f52c44d31f76913d41604a2339c2893225d415a24
Instruction ID: d344bc25197cb2340b8db730357c42640695c774dd6ac08b8daa7019e6c4b4f8
Opcode Fuzzy Hash: d77dcf105700f68276c9099f52c44d31f76913d41604a2339c2893225d415a24
Instruction Fuzzy Hash: 5ED01210C9F3D90FC71663B10D254947FB0AD47150B4F82EBCC48CB0A3D64D59899362

Function 00007FFD9B8B28B0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121259576.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_dr2YKJiGH9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c0cfe6a58aa169ce152a1a4c842f69df88f0047b81ad56dce278e4a2448b25
Instruction ID: 78b9a1cd665b07fe83b5fe7f07ac299881db9484da212f6e90c9554a4a6745a3
Opcode Fuzzy Hash: e5c0cfe6a58aa169ce152a1a4c842f69df88f0047b81ad56dce278e4a2448b25
Instruction Fuzzy Hash: 93A00204DA781E01D86832FF1D978E474506F8D514FC61261E808A0996EC8E57E906D3

Analysis Process: $77svchost.exePID: 6988, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B8A1249 Relevance: .8, Instructions: 788COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1762735068.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b8a0000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fad8b7e24c1b6fef3632b6bed3fd210f65c22168330a8f60fa621b60f9b0673
Instruction ID: cbc35373724e8b69aeaa1cdfcda20538e0923f2ff5b63b4a20d6f2a2324ef8b5
Opcode Fuzzy Hash: 7fad8b7e24c1b6fef3632b6bed3fd210f65c22168330a8f60fa621b60f9b0673
Instruction Fuzzy Hash: 2A32B761B29A494FE798FB6C9869BB9B7D2FF9C300F450579E01DC32D6DE38A8418341

Function 00007FFD9B8A1289 Relevance: .6, Instructions: 638COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1762735068.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b8a0000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f703cfd7310907b580cc3a103ac04d55dc05193ab428815616203b6c7c4c263
Instruction ID: 97e1e0cddb30cef7c345750ed5ac6372298ebf2a4c7285744d584c7d1e62fd46
Opcode Fuzzy Hash: 3f703cfd7310907b580cc3a103ac04d55dc05193ab428815616203b6c7c4c263
Instruction Fuzzy Hash: FB12C661F29A494FE798F7789879BB9B6D2FF9C300F450579E01EC32DADD28A8418341

Function 00007FFD9B8A1095 Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

3M_^, xrefs: 00007FFD9B8A1101

Memory Dump Source

Source File: 00000003.00000002.1762735068.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b8a0000_$77svchost.jbxd

Similarity

API ID:
String ID: 3M_^
API String ID: 0-174631848
Opcode ID: 8547a03a40e291d7742b3179c47895e4896eca89d42f6c39649c6623de4a1ec7
Instruction ID: 9e932fe54de7a96e647121b0b6560bfdabb6abffca38fac0b35fd1a161380b18
Opcode Fuzzy Hash: 8547a03a40e291d7742b3179c47895e4896eca89d42f6c39649c6623de4a1ec7
Instruction Fuzzy Hash: 97412732F0A69E4FE705F7A8A8720ED7FB1EF45254B0502B7D059DB1E7ED2824068350

Function 00007FFD9B8A0BFE Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1762735068.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b8a0000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2091f1cd211d7f60febe3abc5a3af6c1a05bbf9e698d211f8fdba9fd3846b354
Instruction ID: 6f23b774fb94d4a620d6e8893a5f16856971cd309b13a76794658486b7d5a328
Opcode Fuzzy Hash: 2091f1cd211d7f60febe3abc5a3af6c1a05bbf9e698d211f8fdba9fd3846b354
Instruction Fuzzy Hash: DE512A21B1E6CA0FE356A77848265797BE1DF8A614B0901FBD48DC71EBDC1C5C468362

Function 00007FFD9B8A1100 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1762735068.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b8a0000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 783ec413c81f3e9d46a236f6ba45747a6d44a65e86684407ad499f7ac515d65b
Instruction ID: f5582cda6291777f5af787a8fc6ec75a9de526a1decc79e81f0e98c41c7d2377
Opcode Fuzzy Hash: 783ec413c81f3e9d46a236f6ba45747a6d44a65e86684407ad499f7ac515d65b
Instruction Fuzzy Hash: 9E31E432A0998E0FEB54E7A898711FDBFB1EF89350F4501B6D009D71E6DE242906C350

Function 00007FFD9B8A0A91 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1762735068.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b8a0000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b701c0a66c8ac55ae9e11107aa8b05706bb5a8056c5fc14a247353f64746ae
Instruction ID: 31b5851f8a362cccaeb4ed5ab686dcfe64e8c5f96d0c1735bbd86308f7d0446a
Opcode Fuzzy Hash: c0b701c0a66c8ac55ae9e11107aa8b05706bb5a8056c5fc14a247353f64746ae
Instruction Fuzzy Hash: E031C351F299494FEB98BBB85C297BD77D2EF98601F0502BBE01DC32D7ED1869024391

Function 00007FFD9B8A0949 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1762735068.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b8a0000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef647a8831682af6cdd8480297ed1bde3c45343d9a8d2661811d9905a33c369c
Instruction ID: 9fb7678c8cb4409c58f289d53ebdf427b23bebe03af2b439dde9b64fb6824016
Opcode Fuzzy Hash: ef647a8831682af6cdd8480297ed1bde3c45343d9a8d2661811d9905a33c369c
Instruction Fuzzy Hash: CB319370B18A0E8FDB49EBA89865AEEB7E1FF98300F500579D019D32D6DD386941C751

Function 00007FFD9B8A1C65 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1762735068.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b8a0000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6980faeb5299499ee4cb5bb6faf4dbd6d0bff057502f18e659c4ef6cc618017
Instruction ID: 0ab7849a1e2cd701608384a3211b989cf0f50dc454548bb6930b1daa8df1a5e7
Opcode Fuzzy Hash: f6980faeb5299499ee4cb5bb6faf4dbd6d0bff057502f18e659c4ef6cc618017
Instruction Fuzzy Hash: 2D31A421B189484FE788EB2C986A778B6C2EF9D705F0505BEE04EC32D7DD689C418741

Function 00007FFD9B8A1D61 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1762735068.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b8a0000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 007f077bb8962a0f43072455b0019bd99346bacf8e81de8acc924e0ed5c46601
Instruction ID: 37c6a79c9bde48632f217bd5efba2005bbe5de55c2aca6832b4086f4cb36337a
Opcode Fuzzy Hash: 007f077bb8962a0f43072455b0019bd99346bacf8e81de8acc924e0ed5c46601
Instruction Fuzzy Hash: 0D014C15A0EB990FD762A73C58754717FE0DF96640B0905BBD488C71E7E904AA85C392

Analysis Process: $77svchost.exePID: 6296, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9B881249 Relevance: .8, Instructions: 785COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1831066280.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f97715f9f02999a89c6a8ac4d57e46cfef2fce2a161ff52b6588daa0117b2113
Instruction ID: eeb697f1c46e7489d46bb32eb29c12ed00eefdf39e2b179d7879e976b4ace0cf
Opcode Fuzzy Hash: f97715f9f02999a89c6a8ac4d57e46cfef2fce2a161ff52b6588daa0117b2113
Instruction Fuzzy Hash: 8E32D761B29E494FEB98FB689865BB977D2FF9C700F500579E05DC32D6DE38A8018381

Function 00007FFD9B881289 Relevance: .6, Instructions: 638COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1831066280.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c26820f84f91e7bda57e412794e8536d0c5cd59e439b79bc641b1e2cbce40d18
Instruction ID: e7b7351077d6cf8a3faf867df6abddf39953e87018919b65a42c9286cc7c49ec
Opcode Fuzzy Hash: c26820f84f91e7bda57e412794e8536d0c5cd59e439b79bc641b1e2cbce40d18
Instruction Fuzzy Hash: AE12B561B29E494FEBA8F7689875BB876D2FF9C700F440579E05DC32D6DE38A8418381

Function 00007FFD9B881095 Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

3O_^, xrefs: 00007FFD9B881101

Memory Dump Source

Source File: 00000004.00000002.1831066280.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID: 3O_^
API String ID: 0-166494150
Opcode ID: 85c373a33f1f40e80712925aca82b1830a0772aa9a3bac3af94a6a567f1b7c7b
Instruction ID: 91b94e13e7a892d62bc0100d76e52ab6be3b1e520776cb7ceccaa7ba84739ef7
Opcode Fuzzy Hash: 85c373a33f1f40e80712925aca82b1830a0772aa9a3bac3af94a6a567f1b7c7b
Instruction Fuzzy Hash: 99412D32F0EA9A4FEB55F7A8E8B55ED7BB0EF88214B0405B7D059CB1E7DD2428468340

Function 00007FFD9B880BFE Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1831066280.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65f26cb074332a4ee4877cd33ecc51ffbf8e074bb20689cd8cabb04ebf28b0f0
Instruction ID: 3d8395fa9623ff16593af223b7eedc32a23968e2a5619909a7faf1cb10184831
Opcode Fuzzy Hash: 65f26cb074332a4ee4877cd33ecc51ffbf8e074bb20689cd8cabb04ebf28b0f0
Instruction Fuzzy Hash: 4C512B21B1EAC60FE366A77848265797FE2DF86614B0900FBD09DC71EBDD1C5C468352

Function 00007FFD9B881100 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1831066280.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 536a47b134a4b788d4c455393b7c660f48e104701cddf8556964befaa45bf8af
Instruction ID: e5213975f8a4cf856e45f99996a6e304a1c6d00a6864527b7f32b16f34b61f08
Opcode Fuzzy Hash: 536a47b134a4b788d4c455393b7c660f48e104701cddf8556964befaa45bf8af
Instruction Fuzzy Hash: EE310122E09A8E4FEB45E7A8D8B51FDBBB1EF98240F0501B6D019D71E6DE3429068380

Function 00007FFD9B880A91 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1831066280.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93abbe8ccca27e59b0272703618cfa0c85806ccc099c4ebce47f44cd73b423fc
Instruction ID: f3f84f7ea4dba27825c2540ecd3ffc0672858cf521448856af8945f131855353
Opcode Fuzzy Hash: 93abbe8ccca27e59b0272703618cfa0c85806ccc099c4ebce47f44cd73b423fc
Instruction Fuzzy Hash: 2C31C551B29D094FE798B7B858297BD66D2EF98601F0501B7E01DC32D7DE2869014391

Function 00007FFD9B880949 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1831066280.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc68963c3a6562f8e00f3570968e9a9fb981fa3aa9965d85e000d5a71ce8c4ad
Instruction ID: a30ee970e96bef5d0e943850a9864a12ac0fb5bbae8e7fef5f27916ae8ae666b
Opcode Fuzzy Hash: fc68963c3a6562f8e00f3570968e9a9fb981fa3aa9965d85e000d5a71ce8c4ad
Instruction Fuzzy Hash: 2B31A870B18A4E8FEB59EBA89865AED7BF1FF98300F500579D019D32C6DD386941C781

Function 00007FFD9B881C65 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1831066280.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a1c890ab116a2dd5413d9a2dd4c83bdc9dd5ccad9d56783e34f5ef69db6baa1
Instruction ID: 66dd5acdc551f53394880b63d8fd6c95ada7b190469212c6d54d57079b8e195c
Opcode Fuzzy Hash: 6a1c890ab116a2dd5413d9a2dd4c83bdc9dd5ccad9d56783e34f5ef69db6baa1
Instruction Fuzzy Hash: 2631A421B189494FEB88EB2C986A778B6C2EF9C705F0505BEE05EC32D7DD689C418741

Function 00007FFD9B881D61 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1831066280.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a886f23739220294e8fbcf3a6573317c3b6cedf0dc162d9cd20a5994acefe541
Instruction ID: 944a1b0765179ad0bbc40deaaba6535a5f95d1476655ad5f6a89d1d4a5bb7a44
Opcode Fuzzy Hash: a886f23739220294e8fbcf3a6573317c3b6cedf0dc162d9cd20a5994acefe541
Instruction Fuzzy Hash: 33019700A0EFC90FE762A73C18750717FE1DF9A600B0805BBE498C70A3ED14AA808382

Analysis Process: $77svchost.exePID: 3592, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9B8B1249 Relevance: .8, Instructions: 788COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911526528.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b8b0000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4247eaa0b24020cc1e5e8d842643e19748c2fcda34f41254429df235c6bd2ac
Instruction ID: 498c8f5f9f98a27206938d35319c2a9a7249ef379465f09f0aabe111dff0084f
Opcode Fuzzy Hash: f4247eaa0b24020cc1e5e8d842643e19748c2fcda34f41254429df235c6bd2ac
Instruction Fuzzy Hash: A232E871B29A594FE798FB789865AB977D2FF9C700F4005B9E01DC32D7DE28A8018781

Function 00007FFD9B8B1289 Relevance: .6, Instructions: 638COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911526528.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b8b0000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1feca429621af3ceb22a6cb17fb291e0495d6d69974ddce90a3dfd36a1631b3
Instruction ID: 1cf48099e84d93ed326d4cf192d5d78d59fc68af764a1ca9afbbe0a391e225ba
Opcode Fuzzy Hash: e1feca429621af3ceb22a6cb17fb291e0495d6d69974ddce90a3dfd36a1631b3
Instruction Fuzzy Hash: C412D461B29A594FE7A8F7789875ABC76D2FF9C740F4005B9E01EC32D7DD28A8018781

Function 00007FFD9B8B1095 Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

3L_^, xrefs: 00007FFD9B8B1101

Memory Dump Source

Source File: 00000006.00000002.1911526528.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b8b0000_$77svchost.jbxd

Similarity

API ID:
String ID: 3L_^
API String ID: 0-195740063
Opcode ID: a234b95a02944266fcaeab043bb6e73836960a4f43aab004d50383f9e17c5ecb
Instruction ID: 469b39cbf5dcd8a2f2e7b2d3842225f7d0839cc148159270572b5fa36a3e1a08
Opcode Fuzzy Hash: a234b95a02944266fcaeab043bb6e73836960a4f43aab004d50383f9e17c5ecb
Instruction Fuzzy Hash: AF411632F1A69A4FDB45E7BCA8760F97BB0EF45254B0401B7C0598B1E7ED2428468780

Function 00007FFD9B8B0BFE Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911526528.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b8b0000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05fb752bdeaf904b488073563ef721387d89a9f4cbde2586823380a9ff7f4cd4
Instruction ID: 5d73a935af21c51e1914acbde6426404ed5c7857f99ad79786140817fb5e725e
Opcode Fuzzy Hash: 05fb752bdeaf904b488073563ef721387d89a9f4cbde2586823380a9ff7f4cd4
Instruction Fuzzy Hash: E5511721B1E68A0FE3A6A77848365797BE1DF8A614B0900FBD48DC71EBDD1C5C468392

Function 00007FFD9B8B1100 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911526528.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b8b0000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218abf31290ce2b8d1d4a89ef4b77a1f2074b9891ecf40bb1fda97811ae85c73
Instruction ID: 0dd6f883f1436f4d68179665ed1b865e87b98c50484859e6550e658c2e2467c8
Opcode Fuzzy Hash: 218abf31290ce2b8d1d4a89ef4b77a1f2074b9891ecf40bb1fda97811ae85c73
Instruction Fuzzy Hash: 1D31E422A1999E0FEB55E7B89C711FDBBB1EF98280F4405B6D009DB1E6DE2429068781

Function 00007FFD9B8B0A91 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911526528.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b8b0000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ac5c79a1c9e274835d4c6427ebbedb2493ce1948c741343c1dbe73473b5e67
Instruction ID: e750ef656655eee14012f64e4ac2ee46ed06b8adf1711de6b7b44587b3b7001d
Opcode Fuzzy Hash: 44ac5c79a1c9e274835d4c6427ebbedb2493ce1948c741343c1dbe73473b5e67
Instruction Fuzzy Hash: FD31E551B289594BE758BBBC5C297BD77D2EF98601F0502BBE01CC32E7DD1869018781

Function 00007FFD9B8B0949 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911526528.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b8b0000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3e237aee434240f3432fd8f1f15fa536d56af9dc07ee35b31df8147bf548685
Instruction ID: 284fadcb660252c75ad51f2f8a6338271f101981dac1a72753c69d744a09bb05
Opcode Fuzzy Hash: e3e237aee434240f3432fd8f1f15fa536d56af9dc07ee35b31df8147bf548685
Instruction Fuzzy Hash: 2231A030B18A1E8FDB49EBB89865AEDB7B1FF98300F5009B9D019C33D6DD3869418781

Function 00007FFD9B8B1C65 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911526528.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b8b0000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ca5c7903f941a6f0c33cd809fcc40d56deea668d0af61a46003f3105e0eebb
Instruction ID: bfd24fdb94e4df41fbceb181a46d609c38544cbf5bdedcdbbb4707e610b1ba97
Opcode Fuzzy Hash: d0ca5c7903f941a6f0c33cd809fcc40d56deea668d0af61a46003f3105e0eebb
Instruction Fuzzy Hash: E8318421B189494FEB88EB2C986A778B6D2EF9C705F0545BEE04EC32D7DD689C418741

Function 00007FFD9B8B1D61 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911526528.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b8b0000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb62748b5aed06c9d1eb6abbb3e6f9d7836866b05d5913616c789b9c4b43624
Instruction ID: 0fd2ff40ae2176ed6ca3cf5fe387e3c34148d5bbe6c2b25548a681cc8f3abbfe
Opcode Fuzzy Hash: 7cb62748b5aed06c9d1eb6abbb3e6f9d7836866b05d5913616c789b9c4b43624
Instruction Fuzzy Hash: 02014C11A1EBA90FE763A73C58754717FE0DF9A640B0D06BBD488CB1E7D9046A8583C2

Analysis Process: $77svchost.exePID: 1308, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B881249 Relevance: .8, Instructions: 785COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2347446793.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6f8bafc8435815826d490c7337ad0eb176c016d8e0cb90809a978524cbba77d
Instruction ID: 529c74f09531ca4fa7c9ff3d368674aacd63be7718752de704daa2b93e43f173
Opcode Fuzzy Hash: d6f8bafc8435815826d490c7337ad0eb176c016d8e0cb90809a978524cbba77d
Instruction Fuzzy Hash: 3532C461B29E494FEB98FB689865BB977D2FF9C300F440579E41EC32D6DE38A8418341

Function 00007FFD9B881289 Relevance: .6, Instructions: 638COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2347446793.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2d5f2763bdc5082d563789a1395da2ded7951dd23f5c7360a7dae6ea6a79d84
Instruction ID: f7635f1a93a65fc67cbc864aaed2bfc5220521dcee852b4643d60b79b0bac89b
Opcode Fuzzy Hash: d2d5f2763bdc5082d563789a1395da2ded7951dd23f5c7360a7dae6ea6a79d84
Instruction Fuzzy Hash: 5612B461B29E4A4FE798F7789875AB976D2FF9C300F4505B9E01EC32D6DE38A8418341

Function 00007FFD9B881095 Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

3O_^, xrefs: 00007FFD9B881101

Memory Dump Source

Source File: 00000009.00000002.2347446793.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID: 3O_^
API String ID: 0-166494150
Opcode ID: 9113749884fe0800f705587fb19f159d2802cae831b859a389799095c50b2d9e
Instruction ID: f7b9d0ca07774524da294424b76d43e29d3f0f345a43ee899c4e9e1e35448d40
Opcode Fuzzy Hash: 9113749884fe0800f705587fb19f159d2802cae831b859a389799095c50b2d9e
Instruction Fuzzy Hash: 16412932F0AA5A4FD745F7A8E8B51E97FB0EF89214B0501B7D059CB1E7ED3428468340

Function 00007FFD9B880BFE Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2347446793.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9de2c3dc95d7263f339c307ce1d92ba3ba3afe60af0404bba97adca4fe6b764
Instruction ID: e8b6b76bfe54e24adb209f005fd27b343b76822c00564eee0915d5d2e8edf3ed
Opcode Fuzzy Hash: c9de2c3dc95d7263f339c307ce1d92ba3ba3afe60af0404bba97adca4fe6b764
Instruction Fuzzy Hash: F1513B21B1EAC60FE366A77848265797BE2DF8A214B0900FBD49DC71EBDC1C5C468352

Function 00007FFD9B881100 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2347446793.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec81707f15ad260293a63a18a27594f58c94290287b3fe6aa16ca99841b3c19
Instruction ID: 303471a63d2a1513c68d94a675678c067970901bc74651e61104e12524405e4b
Opcode Fuzzy Hash: fec81707f15ad260293a63a18a27594f58c94290287b3fe6aa16ca99841b3c19
Instruction Fuzzy Hash: EB31E122E09A8E4FEB55E7A8D8B11FDBFB1EF89240F4505B6D019D71E6DE3429068340

Function 00007FFD9B880A91 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2347446793.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93abbe8ccca27e59b0272703618cfa0c85806ccc099c4ebce47f44cd73b423fc
Instruction ID: f3f84f7ea4dba27825c2540ecd3ffc0672858cf521448856af8945f131855353
Opcode Fuzzy Hash: 93abbe8ccca27e59b0272703618cfa0c85806ccc099c4ebce47f44cd73b423fc
Instruction Fuzzy Hash: 2C31C551B29D094FE798B7B858297BD66D2EF98601F0501B7E01DC32D7DE2869014391

Function 00007FFD9B880949 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2347446793.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b038e4109d1d5ce56f5331eddaacdfd24e3c7558d72708e605f3d2e071a51411
Instruction ID: 01122476e2fc48b95b3aa907c421eb204399410b2bc7bf5dec5578173170cd53
Opcode Fuzzy Hash: b038e4109d1d5ce56f5331eddaacdfd24e3c7558d72708e605f3d2e071a51411
Instruction Fuzzy Hash: 4E319370B18A0E8FEB49EBB89865AEE77A1FF98300F500579D019D32C6DD386941C741

Function 00007FFD9B881C65 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2347446793.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e49a4f51afe266f4fb77c1e9871e2572673dcfcce0a7375f367c61822d1271e3
Instruction ID: e5dcd901e7d0ad4adcf3b8050baa4d49f67a01c20920990c324c377e7eecc12f
Opcode Fuzzy Hash: e49a4f51afe266f4fb77c1e9871e2572673dcfcce0a7375f367c61822d1271e3
Instruction Fuzzy Hash: 7D31A421B189494FE788EB2C986A778B6C2EF9C705F0505BEE05EC32D7DD689C418741

Function 00007FFD9B881D61 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2347446793.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f315406687c023b7d9bdfeb107790c881a8fa94a0a9ac63c28ee98cdbeafa20e
Instruction ID: 8d412d945c555833cd80c0f69761412e515b31001386f9d34d8c0b7a4ed70943
Opcode Fuzzy Hash: f315406687c023b7d9bdfeb107790c881a8fa94a0a9ac63c28ee98cdbeafa20e
Instruction Fuzzy Hash: 9A01CB00A0EF890FE762A73C18704727FE1DF9A700B0905BBE498C70E3ED246A808382

Analysis Process: $77svchost.exePID: 2212, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B881249 Relevance: .8, Instructions: 785COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2953688935.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c174de7e87ace207b7db0529b8aa8c1972ef005251fff071a7a0a27e2ed6cc47
Instruction ID: 760c7c4dc4a1b6f78cc2428dea44a091485a10ea48fe0dc92c4cb0c40b87994e
Opcode Fuzzy Hash: c174de7e87ace207b7db0529b8aa8c1972ef005251fff071a7a0a27e2ed6cc47
Instruction Fuzzy Hash: 5C32B661B29E494FE798FB68987AAB977D2FF9C300F440579E41DC32D6DE38A8418341

Function 00007FFD9B881289 Relevance: .6, Instructions: 638COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2953688935.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf6f5956834b2bd72fdf6bb4ab336ad843d0dda2f04f8c45585051f8194d08cb
Instruction ID: d84fb59595f7ae972f4becbd96dd9e99f8091f5f9a92889480d8c08b09ad753c
Opcode Fuzzy Hash: cf6f5956834b2bd72fdf6bb4ab336ad843d0dda2f04f8c45585051f8194d08cb
Instruction Fuzzy Hash: 0012A461B29E594FE798F768987AAB967D2FF9C300F8405B9E01DC32D6DD38A8418341

Function 00007FFD9B881095 Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

3O_^, xrefs: 00007FFD9B881101

Memory Dump Source

Source File: 0000000B.00000002.2953688935.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID: 3O_^
API String ID: 0-166494150
Opcode ID: d33f91c3f8bb8c6bd7204f353fbcb4841c0eb564a3d09ec1d5751bc5aca5c431
Instruction ID: 7e33faeaa8967ef708d4ee52ffb08e09f4fb6afe758d7422c2493287eebde03b
Opcode Fuzzy Hash: d33f91c3f8bb8c6bd7204f353fbcb4841c0eb564a3d09ec1d5751bc5aca5c431
Instruction Fuzzy Hash: 29413B32F0EA5A4FDB45F7A8E8B61ED7BB0EF89214B0401B7D059CB1E7ED2428468340

Function 00007FFD9B880BFE Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2953688935.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61904ce33b26aded9df2f2501e84de4df500f4e70c311ca8057d2f9ee348886f
Instruction ID: 72973e34051588dd9e6ee1c00722f8dcd180c13f0982b04d7a6a0a03a293662b
Opcode Fuzzy Hash: 61904ce33b26aded9df2f2501e84de4df500f4e70c311ca8057d2f9ee348886f
Instruction Fuzzy Hash: D6513B21B1EAC60FE366A77848265797BE2DF86214B0900FBD49DC71EBDC1C5C468352

Function 00007FFD9B881100 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2953688935.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04c07a2b02a211db8a416214d7cf31fa2ee4953df1f77644d09eab98856ca89
Instruction ID: 93bc81ff39361f99208aba2e1a116cd99e28d3d134db9c0d24bed43950fe6ef8
Opcode Fuzzy Hash: b04c07a2b02a211db8a416214d7cf31fa2ee4953df1f77644d09eab98856ca89
Instruction Fuzzy Hash: DA31E122E09A8E4FEB55E7A8D8B21FDBBB1EF89240F4505B6D059D71E6DE3429068340

Function 00007FFD9B880A91 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2953688935.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93abbe8ccca27e59b0272703618cfa0c85806ccc099c4ebce47f44cd73b423fc
Instruction ID: f3f84f7ea4dba27825c2540ecd3ffc0672858cf521448856af8945f131855353
Opcode Fuzzy Hash: 93abbe8ccca27e59b0272703618cfa0c85806ccc099c4ebce47f44cd73b423fc
Instruction Fuzzy Hash: 2C31C551B29D094FE798B7B858297BD66D2EF98601F0501B7E01DC32D7DE2869014391

Function 00007FFD9B880949 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2953688935.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6285da16822da32f7312826bfca8109f6ddc01070cac957d15f1d38acffa71d
Instruction ID: 29f2ce428e14bc326334c66617cd60080ae26e189997bcef44f8ade42ebc62fa
Opcode Fuzzy Hash: a6285da16822da32f7312826bfca8109f6ddc01070cac957d15f1d38acffa71d
Instruction Fuzzy Hash: 16319070B18A0E8FEB49FBA89875AEDB7A1FF98300F904579D019D32C6DE386941C741

Function 00007FFD9B881C65 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2953688935.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e1b95e1e60719deccec3303ed809afc986c9b8175fd81249a5f3c1f27fc469
Instruction ID: fde1b93645a8af04d73b23bf7f45950ec9006cc63f9d3fefd26c53fafe24220c
Opcode Fuzzy Hash: 90e1b95e1e60719deccec3303ed809afc986c9b8175fd81249a5f3c1f27fc469
Instruction Fuzzy Hash: 8B31A421B189494FE788FB2C986A778B6C2EF9C705F0505BEE05EC32E7DD689C418741

Function 00007FFD9B881D61 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2953688935.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcc7331cf4b8d5264078c00faf57676afc436a05e4a31f93920ab28bcb409b96
Instruction ID: e33e76e36281834218699b2dc12ad1e72715769201fea2d5ea3f4135a22040bb
Opcode Fuzzy Hash: dcc7331cf4b8d5264078c00faf57676afc436a05e4a31f93920ab28bcb409b96
Instruction Fuzzy Hash: D801CB00A0EF890FE762B73C28750717FE1DF9A700B0805BBE498C70E3ED146A808382

Analysis Process: $77svchost.exePID: 2800, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B8B1249 Relevance: .8, Instructions: 788COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3537345372.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b8b0000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44e331fc3079d38465e5f12362b35c353764e3ebc132c88ee11221f771a0cbf8
Instruction ID: a5f7630c69b869023ec4eaf9cf529f17b0cdf37239b0ce52a503575a22b1120f
Opcode Fuzzy Hash: 44e331fc3079d38465e5f12362b35c353764e3ebc132c88ee11221f771a0cbf8
Instruction Fuzzy Hash: 53320861B29A194FEB58FB789879AB977D2FF9C300F410579E01EC32D6DD28A8418781

Function 00007FFD9B8B1289 Relevance: .6, Instructions: 638COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3537345372.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b8b0000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1b39c337aa81067cac3c7031426606fa0bed7bd03f8cdc60be286d09b3d181
Instruction ID: 5509eb0e40667875f8a82456114c96db04d133cde81a74866d457b6d4e2e518f
Opcode Fuzzy Hash: 4a1b39c337aa81067cac3c7031426606fa0bed7bd03f8cdc60be286d09b3d181
Instruction Fuzzy Hash: BC12D761B29A594FE798F7789879ABC77D2FF9C300F850579E00EC32D6DD28A8418781

Function 00007FFD9B8B1095 Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

3L_^, xrefs: 00007FFD9B8B1101

Memory Dump Source

Source File: 0000000C.00000002.3537345372.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b8b0000_$77svchost.jbxd

Similarity

API ID:
String ID: 3L_^
API String ID: 0-195740063
Opcode ID: e02247434d3b4a457acb17d80d1bb9a59a508eaf28104b638a596fa8dc8e4fa9
Instruction ID: a06314905f07f5714fea6ffbc254b7cbf3ef1c4cecb9a38bb6e0222fe544068c
Opcode Fuzzy Hash: e02247434d3b4a457acb17d80d1bb9a59a508eaf28104b638a596fa8dc8e4fa9
Instruction Fuzzy Hash: 0B411672F1A69A4FDB45E7BCA8760F97BB0EF45254B4401B7C0598B1E7ED2428468780

Function 00007FFD9B8B0BFE Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3537345372.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b8b0000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9883a98f9c4c45b8f16aeba01a1f1c8f91f279cf59a5819056b1c8055b744ff0
Instruction ID: c39eb37ce5ac4153321636a24ed312225fcb300ca26161a40821ac7b5ee79eea
Opcode Fuzzy Hash: 9883a98f9c4c45b8f16aeba01a1f1c8f91f279cf59a5819056b1c8055b744ff0
Instruction Fuzzy Hash: 07511921B1E68A0FE366A77848365797BE1DF8A614B0A00FBD48DC71EBDD1C5C468392

Function 00007FFD9B8B1100 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3537345372.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b8b0000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1654cc9bf45025d3c42a1d0171482363f323ed27a904246d985e3a2bfa21819f
Instruction ID: 3631071ab30186e1cca022ac140739d71ce69c03f75fb37dc9ce79d6d62e21b6
Opcode Fuzzy Hash: 1654cc9bf45025d3c42a1d0171482363f323ed27a904246d985e3a2bfa21819f
Instruction Fuzzy Hash: 4C31E662A1999E0FDB55E7B89C721FDBBB1EF88250F4401B6D009DB1E6DE2429068781

Function 00007FFD9B8B0A91 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3537345372.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b8b0000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ac5c79a1c9e274835d4c6427ebbedb2493ce1948c741343c1dbe73473b5e67
Instruction ID: e750ef656655eee14012f64e4ac2ee46ed06b8adf1711de6b7b44587b3b7001d
Opcode Fuzzy Hash: 44ac5c79a1c9e274835d4c6427ebbedb2493ce1948c741343c1dbe73473b5e67
Instruction Fuzzy Hash: FD31E551B289594BE758BBBC5C297BD77D2EF98601F0502BBE01CC32E7DD1869018781

Function 00007FFD9B8B0949 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3537345372.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b8b0000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0b981efe4e92aa957a32bf36428696f25c7376fad10b324507f5bb6e6703d83
Instruction ID: 77a134b6d2f6a508f31c5c3aeb5ac7c12dc48e7998588db32a81e4e40df98495
Opcode Fuzzy Hash: a0b981efe4e92aa957a32bf36428696f25c7376fad10b324507f5bb6e6703d83
Instruction Fuzzy Hash: B331A230B18A1E8FDB48EBB89875AED77A1FF98300F900479D01AC32C6DD386941CB81

Function 00007FFD9B8B1C65 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3537345372.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b8b0000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e639de2b552091a719adcaddeaf8d8bf4c3008b4acfcb192d67523a1b9b3ed52
Instruction ID: ee9b83b398a5d9530ca7b1d6944c7d8f772e8ab27567e582ae268242158316ea
Opcode Fuzzy Hash: e639de2b552091a719adcaddeaf8d8bf4c3008b4acfcb192d67523a1b9b3ed52
Instruction Fuzzy Hash: 3531A421B189484FEB88FB2C986A778B6C2EF9C705F0505BEE04EC32D7DD689C418741

Function 00007FFD9B8B1D61 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3537345372.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b8b0000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac67433fcc68b853bd74c1cad2a82e5c23e1e1e6683dd97bcde30bde6808a07c
Instruction ID: 8fcd3dd967d1f3d6e6c89524490946ab5f6b9c41d3e20518744aa79b225dbda4
Opcode Fuzzy Hash: ac67433fcc68b853bd74c1cad2a82e5c23e1e1e6683dd97bcde30bde6808a07c
Instruction Fuzzy Hash: 25019C11A0EBA90FE762A73C18754717FE0CF96240B0D02BBD488CB0E3D9046A8583C2

Analysis Process: $77svchost.exePID: 6452, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B881249 Relevance: .8, Instructions: 785COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4118204103.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff3f3dc2aa360b176f5dd5b66e4419f9d2eceb402a1768553027e2731654ecd
Instruction ID: 22eb74bebdadcb9049a0ac632a2062ab9eef256416b8a0442571f2e054c71b87
Opcode Fuzzy Hash: 8ff3f3dc2aa360b176f5dd5b66e4419f9d2eceb402a1768553027e2731654ecd
Instruction Fuzzy Hash: 6732B361B29E494FE798FB689865BB977D2FF9C340F410579E01EC32DADE38A8418341

Function 00007FFD9B881289 Relevance: .6, Instructions: 638COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4118204103.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a9455132d9d4077d833dc0353dcfa10997c8dd4b8802e5e59f10c921effa499
Instruction ID: d690801bb09f9601f661d857bffc9833e9663709fc79ed3c0a7e7e81a6979574
Opcode Fuzzy Hash: 7a9455132d9d4077d833dc0353dcfa10997c8dd4b8802e5e59f10c921effa499
Instruction Fuzzy Hash: BF12C561B29E494FE799FB689875BB876D2FF9C740F410579E01EC32DADE38A8018341

Function 00007FFD9B881095 Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

3O_^, xrefs: 00007FFD9B881101

Memory Dump Source

Source File: 0000000D.00000002.4118204103.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID: 3O_^
API String ID: 0-166494150
Opcode ID: 4ec286e9acc92eacd9820d07defb29b58e7e12b37b483e851a9221271d76ac3c
Instruction ID: 595b484b46d524a1d1f09a00ca9fffba7703aecb838dd9740158aeacc9e943e3
Opcode Fuzzy Hash: 4ec286e9acc92eacd9820d07defb29b58e7e12b37b483e851a9221271d76ac3c
Instruction Fuzzy Hash: 93411A32F0EA5A4FD755F7A8E8B55E97BB0EF88214B0505B7D069CB1E7ED3428468340

Function 00007FFD9B880BFE Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4118204103.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 102e425a33165c5d701cfb8a14cb1a967cbbf36a7f6a3451540eede3a5415536
Instruction ID: ab68e0a2069fe670df6c192a1a10dde159cce33ddc4b57bced3fbb9e889b6b94
Opcode Fuzzy Hash: 102e425a33165c5d701cfb8a14cb1a967cbbf36a7f6a3451540eede3a5415536
Instruction Fuzzy Hash: EB512B21B1EAC60FE366A77848265797BE2DF86614B0900FBD09DC71EBDD1C5C468352

Function 00007FFD9B881100 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4118204103.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675613b90810757072eb006c346aeb22f9cf44c08ebcf5ce04ea6dd7d3af32a0
Instruction ID: 25746621de9921baeb37db4a2a8eabd3fda497912a3b1b75dcbb9b38f51d3aef
Opcode Fuzzy Hash: 675613b90810757072eb006c346aeb22f9cf44c08ebcf5ce04ea6dd7d3af32a0
Instruction Fuzzy Hash: CC31E422E0998E4FEB55E7A8D8B11FDBBB1EF88240F4505B6D029D71EADE3429058340

Function 00007FFD9B880A91 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4118204103.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93abbe8ccca27e59b0272703618cfa0c85806ccc099c4ebce47f44cd73b423fc
Instruction ID: f3f84f7ea4dba27825c2540ecd3ffc0672858cf521448856af8945f131855353
Opcode Fuzzy Hash: 93abbe8ccca27e59b0272703618cfa0c85806ccc099c4ebce47f44cd73b423fc
Instruction Fuzzy Hash: 2C31C551B29D094FE798B7B858297BD66D2EF98601F0501B7E01DC32D7DE2869014391

Function 00007FFD9B880949 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4118204103.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b880000_$77svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7fa50cb19b12def067052edd7e5ce0fcba7a3d5315549e06dc003a57e67893c
Instruction ID: d2b4f0e9c6efda6d220b77a6278c7fc80a99fd2761711d5fd607450a9388702a
Opcode Fuzzy Hash: d7fa50cb19b12def067052edd7e5ce0fcba7a3d5315549e06dc003a57e67893c
Instruction Fuzzy Hash: 6231B370B19A0E8FEB49EBA8D865AED77A1FF98300F510579D01DC32D6DD386841C741

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report dr2YKJiGH9.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77svchost.exe.log

C:\Users\user\AppData\Roaming\$77svchost.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77svchost.lnk

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
dr2YKJiGH9.exe