Play interactive tour

Edit tour

Windows Analysis Report 1wsm2uXwSY.exe

Overview

General Information

Sample Name:	1wsm2uXwSY.exe
Analysis ID:	483751
MD5:	a560665e36e1af3084e31055adc83808
SHA1:	c9d07a945765b3f90e0a970a748af631f22cf0e3
SHA256:	3ffef680021c116955e889822e935c55b05576f9a0f9bd1dde334c0ccbfca006
Tags:	exeOrcusRAT
Infos:
Most interesting Screenshot:

Detection

Orcus

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Orcus RAT

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Installs a global keyboard hook

.NET source code references suspicious native API functions

Yara detected Costura Assembly Loader

Changes security center settings (notifications, updates, antivirus, firewall)

Machine Learning detection for sample

.NET source code contains potential unpacker

.NET source code contains very large strings

Contains functionality to disable the Task Manager (.Net Source)

Drops executables to the windows directory (C:\Windows) and starts them

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

PE file contains executable resources (Code or Archives)

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates or modifies windows services

Dropped file seen in connection with other malware

Queries disk information (often used to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

1wsm2uXwSY.exe (PID: 6032 cmdline: 'C:\Users\user\Desktop\1wsm2uXwSY.exe' MD5: A560665E36E1AF3084E31055ADC83808)

WindowsInput.exe (PID: 992 cmdline: 'C:\Windows\SysWOW64\WindowsInput.exe' --install MD5: E6FCF516D8ED8D0D4427F86E08D0D435)

WindowsInput.exe (PID: 1848 cmdline: C:\Windows\SysWOW64\WindowsInput.exe MD5: E6FCF516D8ED8D0D4427F86E08D0D435)

svchost.exe (PID: 3468 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4080 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 3396 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5180 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1836 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4812 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2140 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2000 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 6220 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 6264 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 5672 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 5552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 6344 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: OrcusRAT

{"AutostartBuilderProperty": {"AutostartMethod": "Disable", "TaskSchedulerTaskName": "Orcus", "TaskHighestPrivileges": "true", "RegistryHiddenStart": "true", "RegistryKeyName": "Orcus", "TryAllAutostartMethodsOnFail": "true"}, "ChangeAssemblyInformationBuilderProperty": {"ChangeAssemblyInformation": "true", "AssemblyTitle": "Synapse X", "AssemblyDescription": null, "AssemblyCompanyName": null, "AssemblyProductName": null, "AssemblyCopyright": null, "AssemblyTrademarks": null, "AssemblyProductVersion": "1.0.0.0", "AssemblyFileVersion": "1.0.0.0"}, "ChangeCreationDateBuilderProperty": {"IsEnabled": "false", "NewCreationDate": "2021-09-12T08:05:49-04:00"}, "ChangeIconBuilderProperty": {"ChangeIcon": "true", "IconPath": "C:\\Users\\Administrator\\Documents\\storage\\shitty rat maker\\icons\\synapse.ico"}, "ClientTagBuilderProperty": {"ClientTag": null}, "ConnectionBuilderProperty": {"IpAddresses": [{"Ip": "136.144.41.171", "Port": "10134"}]}, "DataFolderBuilderProperty": {"Path": "%appdata%\\Orcus"}, "DefaultPrivilegesBuilderProperty": {"RequireAdministratorRights": "true"}, "DisableInstallationPromptBuilderProperty": {"IsDisabled": "false"}, "FrameworkVersionBuilderProperty": {"FrameworkVersion": "NET45"}, "HideFileBuilderProperty": {"HideFile": "true"}, "InstallationLocationBuilderProperty": {"Path": "%programfiles%\\Synapse\\Synapse.exe"}, "InstallBuilderProperty": {"Install": "false"}, "KeyloggerBuilderProperty": {"IsEnabled": "true"}, "MutexBuilderProperty": {"Mutex": "e744d5f8bc5b44fcae386e2debf8200e"}, "ProxyBuilderProperty": {"ProxyOption": "None", "ProxyAddress": null, "ProxyPort": "1080", "ProxyType": "2"}, "ReconnectDelayProperty": {"Delay": "10000"}, "RequireAdministratorPrivilegesInstallerBuilderProperty": {"RequireAdministratorPrivileges": "true"}, "RespawnTaskBuilderProperty": {"IsEnabled": "false", "TaskName": "Orcus Respawner"}, "ServiceBuilderProperty": {"Install": "true"}, "SetRunProgramAsAdminFlagBuilderProperty": {"SetFlag": "false"}, "WatchdogBuilderProperty": {"IsEnabled": "false", "Name": "OrcusWatchdog.exe", "WatchdogLocation": "AppData", "PreventFileDeletion": "false"}}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
1wsm2uXwSY.exe	MAL_BackNet_Nov18_1	Detects BackNet samples	Florian Roth	0xcbed8:$s1: ProcessedByFody 0xd7ac2:$s2: SELECT * FROM AntivirusProduct
1wsm2uXwSY.exe	JoeSecurity_OrcusRat	Yara detected Orcus RAT	J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
1wsm2uXwSY.exe	RAT_Orcus	unknown	J from THL <j@techhelplist.com> with thx to MalwareHunterTeam	0xcb652:$text01: Orcus.CommandManagement 0xb22d3:$text02: Orcus.Commands. 0xbfc6a:$text02: Orcus.Commands. 0xbfdd8:$text02: Orcus.Commands. 0xbfe18:$text02: Orcus.Commands. 0xbfe6d:$text02: Orcus.Commands. 0xc009c:$text02: Orcus.Commands. 0xc0891:$text02: Orcus.Commands. 0xc0cf8:$text02: Orcus.Commands. 0xc109f:$text02: Orcus.Commands. 0xc130b:$text02: Orcus.Commands. 0xc15e7:$text02: Orcus.Commands. 0xc1933:$text02: Orcus.Commands. 0xc1a28:$text02: Orcus.Commands. 0xc1fe0:$text02: Orcus.Commands. 0xc21b0:$text02: Orcus.Commands. 0xc24d1:$text02: Orcus.Commands. 0xc2774:$text02: Orcus.Commands. 0xc284f:$text02: Orcus.Commands. 0xc2dbf:$text02: Orcus.Commands. 0xc2e5e:$text02: Orcus.Commands.

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.491759765.00000000002F2000.00000002.00020000.sdmp	JoeSecurity_OrcusRat	Yara detected Orcus RAT	J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
00000000.00000002.491759765.00000000002F2000.00000002.00020000.sdmp	RAT_Orcus	unknown	J from THL <j@techhelplist.com> with thx to MalwareHunterTeam	0xcb452:$text01: Orcus.CommandManagement 0xb20d3:$text02: Orcus.Commands. 0xbfa6a:$text02: Orcus.Commands. 0xbfbd8:$text02: Orcus.Commands. 0xbfc18:$text02: Orcus.Commands. 0xbfc6d:$text02: Orcus.Commands. 0xbfe9c:$text02: Orcus.Commands. 0xc0691:$text02: Orcus.Commands. 0xc0af8:$text02: Orcus.Commands. 0xc0e9f:$text02: Orcus.Commands. 0xc110b:$text02: Orcus.Commands. 0xc13e7:$text02: Orcus.Commands. 0xc1733:$text02: Orcus.Commands. 0xc1828:$text02: Orcus.Commands. 0xc1de0:$text02: Orcus.Commands. 0xc1fb0:$text02: Orcus.Commands. 0xc22d1:$text02: Orcus.Commands. 0xc2574:$text02: Orcus.Commands. 0xc264f:$text02: Orcus.Commands. 0xc2bbf:$text02: Orcus.Commands. 0xc2c5e:$text02: Orcus.Commands.
00000000.00000000.220589849.00000000002F2000.00000002.00020000.sdmp	JoeSecurity_OrcusRat	Yara detected Orcus RAT	J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
00000000.00000000.220589849.00000000002F2000.00000002.00020000.sdmp	RAT_Orcus	unknown	J from THL <j@techhelplist.com> with thx to MalwareHunterTeam	0xcb452:$text01: Orcus.CommandManagement 0xb20d3:$text02: Orcus.Commands. 0xbfa6a:$text02: Orcus.Commands. 0xbfbd8:$text02: Orcus.Commands. 0xbfc18:$text02: Orcus.Commands. 0xbfc6d:$text02: Orcus.Commands. 0xbfe9c:$text02: Orcus.Commands. 0xc0691:$text02: Orcus.Commands. 0xc0af8:$text02: Orcus.Commands. 0xc0e9f:$text02: Orcus.Commands. 0xc110b:$text02: Orcus.Commands. 0xc13e7:$text02: Orcus.Commands. 0xc1733:$text02: Orcus.Commands. 0xc1828:$text02: Orcus.Commands. 0xc1de0:$text02: Orcus.Commands. 0xc1fb0:$text02: Orcus.Commands. 0xc22d1:$text02: Orcus.Commands. 0xc2574:$text02: Orcus.Commands. 0xc264f:$text02: Orcus.Commands. 0xc2bbf:$text02: Orcus.Commands. 0xc2c5e:$text02: Orcus.Commands.
Process Memory Space: 1wsm2uXwSY.exe PID: 6032	JoeSecurity_OrcusRat	Yara detected Orcus RAT	J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
Process Memory Space: 1wsm2uXwSY.exe PID: 6032	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: 1wsm2uXwSY.exe PID: 6032	RAT_Orcus	unknown	J from THL <j@techhelplist.com> with thx to MalwareHunterTeam	0xd964e:$text01: Orcus.CommandManagement 0xbd516:$text02: Orcus.Commands. 0xbd792:$text02: Orcus.Commands. 0xbda3d:$text02: Orcus.Commands. 0xbdb85:$text02: Orcus.Commands. 0xbdda3:$text02: Orcus.Commands. 0xbe02c:$text02: Orcus.Commands. 0xbe11d:$text02: Orcus.Commands. 0xbe4a0:$text02: Orcus.Commands. 0xbe586:$text02: Orcus.Commands. 0xbe87d:$text02: Orcus.Commands. 0xbe940:$text02: Orcus.Commands. 0xbebd1:$text02: Orcus.Commands. 0xbef6b:$text02: Orcus.Commands. 0xbf094:$text02: Orcus.Commands. 0xbf109:$text02: Orcus.Commands. 0xbf1a7:$text02: Orcus.Commands. 0xbf587:$text02: Orcus.Commands. 0xbf836:$text02: Orcus.Commands. 0xbf92f:$text02: Orcus.Commands. 0xbfd65:$text02: Orcus.Commands.
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.1wsm2uXwSY.exe.2f0000.0.unpack	MAL_BackNet_Nov18_1	Detects BackNet samples	Florian Roth	0xcbed8:$s1: ProcessedByFody 0xd7ac2:$s2: SELECT * FROM AntivirusProduct
0.2.1wsm2uXwSY.exe.2f0000.0.unpack	JoeSecurity_OrcusRat	Yara detected Orcus RAT	J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
0.2.1wsm2uXwSY.exe.2f0000.0.unpack	RAT_Orcus	unknown	J from THL <j@techhelplist.com> with thx to MalwareHunterTeam	0xcb652:$text01: Orcus.CommandManagement 0xb22d3:$text02: Orcus.Commands. 0xbfc6a:$text02: Orcus.Commands. 0xbfdd8:$text02: Orcus.Commands. 0xbfe18:$text02: Orcus.Commands. 0xbfe6d:$text02: Orcus.Commands. 0xc009c:$text02: Orcus.Commands. 0xc0891:$text02: Orcus.Commands. 0xc0cf8:$text02: Orcus.Commands. 0xc109f:$text02: Orcus.Commands. 0xc130b:$text02: Orcus.Commands. 0xc15e7:$text02: Orcus.Commands. 0xc1933:$text02: Orcus.Commands. 0xc1a28:$text02: Orcus.Commands. 0xc1fe0:$text02: Orcus.Commands. 0xc21b0:$text02: Orcus.Commands. 0xc24d1:$text02: Orcus.Commands. 0xc2774:$text02: Orcus.Commands. 0xc284f:$text02: Orcus.Commands. 0xc2dbf:$text02: Orcus.Commands. 0xc2e5e:$text02: Orcus.Commands.
0.0.1wsm2uXwSY.exe.2f0000.0.unpack	MAL_BackNet_Nov18_1	Detects BackNet samples	Florian Roth	0xcbed8:$s1: ProcessedByFody 0xd7ac2:$s2: SELECT * FROM AntivirusProduct
0.0.1wsm2uXwSY.exe.2f0000.0.unpack	JoeSecurity_OrcusRat	Yara detected Orcus RAT	J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
0.0.1wsm2uXwSY.exe.2f0000.0.unpack	RAT_Orcus	unknown	J from THL <j@techhelplist.com> with thx to MalwareHunterTeam	0xcb652:$text01: Orcus.CommandManagement 0xb22d3:$text02: Orcus.Commands. 0xbfc6a:$text02: Orcus.Commands. 0xbfdd8:$text02: Orcus.Commands. 0xbfe18:$text02: Orcus.Commands. 0xbfe6d:$text02: Orcus.Commands. 0xc009c:$text02: Orcus.Commands. 0xc0891:$text02: Orcus.Commands. 0xc0cf8:$text02: Orcus.Commands. 0xc109f:$text02: Orcus.Commands. 0xc130b:$text02: Orcus.Commands. 0xc15e7:$text02: Orcus.Commands. 0xc1933:$text02: Orcus.Commands. 0xc1a28:$text02: Orcus.Commands. 0xc1fe0:$text02: Orcus.Commands. 0xc21b0:$text02: Orcus.Commands. 0xc24d1:$text02: Orcus.Commands. 0xc2774:$text02: Orcus.Commands. 0xc284f:$text02: Orcus.Commands. 0xc2dbf:$text02: Orcus.Commands. 0xc2e5e:$text02: Orcus.Commands.
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1wsm2uXwSY.exe

Malware Configuration Extractor: OrcusRAT {"AutostartBuilderProperty": {"AutostartMethod": "Disable", "TaskSchedulerTaskName": "Orcus", "TaskHighestPrivileges": "true", "RegistryHiddenStart": "true", "RegistryKeyName": "Orcus", "TryAllAutostartMethodsOnFail": "true"}, "ChangeAssemblyInformationBuilderProperty": {"ChangeAssemblyInformation": "true", "AssemblyTitle": "Synapse X", "AssemblyDescription": null, "AssemblyCompanyName": null, "AssemblyProductName": null, "AssemblyCopyright": null, "AssemblyTrademarks": null, "AssemblyProductVersion": "1.0.0.0", "AssemblyFileVersion": "1.0.0.0"}, "ChangeCreationDateBuilderProperty": {"IsEnabled": "false", "NewCreationDate": "2021-09-12T08:05:49-04:00"}, "ChangeIconBuilderProperty": {"ChangeIcon": "true", "IconPath": "C:\\Users\\Administrator\\Documents\\storage\\shitty rat maker\\icons\\synapse.ico"}, "ClientTagBuilderProperty": {"ClientTag": null}, "ConnectionBuilderProperty": {"IpAddresses": [{"Ip": "136.144.41.171", "Port": "10134"}]}, "DataFolderBuilderProperty": {"Path": "%appdata%\\Orcus"}, "DefaultPrivilegesBuilderProperty": {"RequireAdministratorRights": "true"}, "DisableInstallationPromptBuilderProperty": {"IsDisabled": "false"}, "FrameworkVersionBuilderProperty": {"FrameworkVersion": "NET45"}, "HideFileBuilderProperty": {"HideFile": "true"}, "InstallationLocationBuilderProperty": {"Path": "%programfiles%\\Synapse\\Synapse.exe"}, "InstallBuilderProperty": {"Install": "false"}, "KeyloggerBuilderProperty": {"IsEnabled": "true"}, "MutexBuilderProperty": {"Mutex": "e744d5f8bc5b44fcae386e2debf8200e"}, "ProxyBuilderProperty": {"ProxyOption": "None", "ProxyAddress": null, "ProxyPort": "1080", "ProxyType": "2"}, "ReconnectDelayProperty": {"Delay": "10000"}, "RequireAdministratorPrivilegesInstallerBuilderProperty": {"RequireAdministratorPrivileges": "true"}, "RespawnTaskBuilderProperty": {"IsEnabled": "false", "TaskName": "Orcus Respawner"}, "ServiceBuilderProperty": {"Install": "true"}, "SetRunProgramAsAdminFlagBuilderProperty": {"SetFlag": "false"}, "WatchdogBuilderProperty": {"IsEnabled": "false", "Name": "OrcusWatchdog.exe", "WatchdogLocation": "AppData", "PreventFileDeletion": "false"}}

Multi AV Scanner detection for submitted file

Show sources

Source: 1wsm2uXwSY.exe	Virustotal: Detection: 64%	Perma Link
Source: 1wsm2uXwSY.exe	Metadefender: Detection: 62%	Perma Link
Source: 1wsm2uXwSY.exe	ReversingLabs: Detection: 79%

Antivirus / Scanner detection for submitted sample

Show sources

Source: 1wsm2uXwSY.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Windows\SysWOW64\WindowsInput.exe

Avira: detection malicious, Label: TR/Agent.zgvcy

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Windows\SysWOW64\WindowsInput.exe	Metadefender: Detection: 70%			Perma Link
Source: C:\Windows\SysWOW64\WindowsInput.exe	ReversingLabs: Detection: 86%

Machine Learning detection for sample

Show sources

Source: 1wsm2uXwSY.exe

Joe Sandbox ML: detected

Source: 1wsm2uXwSY.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 1wsm2uXwSY.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Features\Orcus.Service\obj\Release\Orcus.Service.pdblf source: 1wsm2uXwSY.exe, 00000000.00000002.515213538.00000000029C0000.00000004.00000001.sdmp, WindowsInput.exe, 00000003.00000000.226049010.0000000000B52000.00000002.00020000.sdmp, WindowsInput.exe, 00000005.00000002.491758825.0000000000462000.00000002.00020000.sdmp, WindowsInput.exe.0.dr
Source:	Binary string: D:\Dokumente\GitHub\starksoft-aspen\Starksoft.Aspen\obj\Release\starksoft.aspen.pdb source: 1wsm2uXwSY.exe, 00000000.00000002.515638251.0000000002A32000.00000004.00000001.sdmp
Source:	Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.StaticCommands\obj\Release\Orcus.StaticCommands.pdb source: 1wsm2uXwSY.exe, 00000000.00000002.515213538.00000000029C0000.00000004.00000001.sdmp
Source:	Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Features\Orcus.Service\obj\Release\Orcus.Service.pdb source: WindowsInput.exe, WindowsInput.exe.0.dr
Source:	Binary string: D:\Dokumente\GitHub\starksoft-aspen\Starksoft.Aspen\obj\Release\starksoft.aspen.pdbL source: 1wsm2uXwSY.exe, 00000000.00000002.515638251.0000000002A32000.00000004.00000001.sdmp
Source:	Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.Shared.Utilities\obj\Release\Orcus.Shared.Utilities.pdb source: 1wsm2uXwSY.exe, 00000000.00000002.514919469.0000000002983000.00000004.00000001.sdmp
Source:	Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.Plugins\obj\Release\Orcus.Plugins.pdb source: 1wsm2uXwSY.exe, 00000000.00000002.518013459.0000000004B50000.00000004.00020000.sdmp
Source:	Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.Shared\obj\Release\Orcus.Shared.pdb source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmp
Source:	Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.Shared\obj\Release\Orcus.Shared.pdbDr source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmp
Source:	Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.Plugins\obj\Release\Orcus.Plugins.pdbD source: 1wsm2uXwSY.exe, 00000000.00000002.518013459.0000000004B50000.00000004.00020000.sdmp

Source: Joe Sandbox View

ASN Name: WORLDSTREAMNL WORLDSTREAMNL

Source: global traffic

TCP traffic: 192.168.2.3:49737 -> 136.144.41.171:10134

Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.171

Source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmp	String found in binary or memory: http://aia.startssl.com/certs/ca.crt0
Source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmp	String found in binary or memory: http://aia.startssl.com/certs/sca.code3.crt06
Source: 1wsm2uXwSY.exe, 00000000.00000002.520322448.0000000005790000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.507580524.000002B014888000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmp	String found in binary or memory: http://crl.startssl.com/sca-code3.crl0#
Source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmp	String found in binary or memory: http://crl.startssl.com/sfsca.crl0f
Source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchost.exe, 00000007.00000002.505224674.000002B014814000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: 1wsm2uXwSY.exe, 00000000.00000003.240192397.0000000005814000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 1wsm2uXwSY.exe, 00000000.00000002.502371283.0000000000B4F000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab0
Source: 1wsm2uXwSY.exe, 00000000.00000003.240192397.0000000005814000.00000004.00000001.sdmp, 1wsm2uXwSY.exe, 00000000.00000002.520322448.0000000005790000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f4ff848365b24
Source: 1wsm2uXwSY.exe, 00000000.00000002.502371283.0000000000B4F000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/ent
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.startssl.com00
Source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.startssl.com07
Source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: 1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmp, WindowsInput.exe, 00000003.00000002.230271529.0000000002E11000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.504197637.000000000143B000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000003.00000002.230271529.0000000002E11000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.504197637.000000000143B000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.504197637.000000000143B000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/Orcus.Shared.Commands.EventLog
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, 1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.504197637.000000000143B000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/Orcus.Shared.Commands.Registry
Source: WindowsInput.exe, 00000003.00000002.230271529.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: 1wsm2uXwSY.exe, 00000000.00000002.508689788.0000000002711000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultP
Source: 1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anon
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: 1wsm2uXwSY.exe, 00000000.00000002.512127698.000000000280F000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.505312254.00000000014AB000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 1wsm2uXwSY.exe, 00000000.00000002.512127698.000000000280F000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.505312254.00000000014AB000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/spn
Source: 1wsm2uXwSY.exe, 00000000.00000002.512127698.000000000280F000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506383414.00000000014F8000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/system
Source: 1wsm2uXwSY.exe, 00000000.00000002.512127698.000000000280F000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
Source: 1wsm2uXwSY.exe, 00000000.00000002.512127698.000000000280F000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506383414.00000000014F8000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/identity
Source: 1wsm2uXwSY.exe, 00000000.00000002.512127698.000000000280F000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.505312254.00000000014AB000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: 1wsm2uXwSY.exe, 00000000.00000002.512127698.000000000280F000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: 1wsm2uXwSY.exe, 00000000.00000002.508689788.0000000002711000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: 1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/
Source: WindowsInput.exe, 00000005.00000002.504197637.000000000143B000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/:NetNamedPipeBinding
Source: 1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServiceP
Source: 1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServiceP$
Source: 1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServiceP(
Source: 1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServiceP0
Source: 1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServiceP8
Source: WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/CreateSubKey
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/CreateSubKeyResponse
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/CreateValue
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/CreateValueResponse
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/DeleteFile
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/DeleteFileResponse
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/DeleteSubKey
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/DeleteSubKeyResponse
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/DeleteValue
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/DeleteValueResponse
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/GetPath
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/GetPathResponse
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/GetRegistrySubKeys
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/GetRegistrySubKeysResponse
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/GetRegistryValues
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/GetRegistryValuesResponse
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/GetSecurityEventLog
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/GetSecurityEventLogResponse
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/IsAlive
Source: 1wsm2uXwSY.exe, 00000000.00000002.512127698.000000000280F000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506383414.00000000014F8000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/IsAliveDnet.pipe://localhost/69e001dd06a44ff1b3260a75a6f10381/OrcusU
Source: 1wsm2uXwSY.exe, 00000000.00000002.512127698.000000000280F000.00000004.00000001.sdmp, 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/IsAliveResponse
Source: 1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/StartProcess
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/StartProcessResponse
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/StartProcessom
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/WriteFile
Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IServicePipe/WriteFileResponse
Source: 1wsm2uXwSY.exe, 00000000.00000002.512127698.000000000280F000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506383414.00000000014F8000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/V
Source: 1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/lJ)
Source: 1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/t&)
Source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: svchost.exe, 0000000E.00000002.313404338.000002B1EF413000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmp	String found in binary or memory: http://www.startssl.com/0P
Source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmp	String found in binary or memory: http://www.startssl.com/policy0
Source: WindowsInput.exe, 00000003.00000002.230271529.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: http://www.w3.o
Source: svchost.exe, 0000000B.00000002.495717491.000001A6DAC3E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000B.00000002.495717491.000001A6DAC3E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000B.00000002.495717491.000001A6DAC3E000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: 1wsm2uXwSY.exe	String found in binary or memory: https://api.ipify.org/
Source: 1wsm2uXwSY.exe	String found in binary or memory: https://api.ipify.org/I(.
Source: svchost.exe, 0000000E.00000003.311819408.000002B1EF460000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000B.00000002.495717491.000001A6DAC3E000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000B.00000002.495717491.000001A6DAC3E000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000E.00000003.311935590.000002B1EF45A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000003.311819408.000002B1EF460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000E.00000002.313505141.000002B1EF43C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000003.311819408.000002B1EF460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000003.311819408.000002B1EF460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000E.00000002.313505141.000002B1EF43C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000003.311819408.000002B1EF460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000E.00000003.311819408.000002B1EF460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000E.00000003.311819408.000002B1EF460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000E.00000003.289923073.000002B1EF430000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000E.00000003.312028259.000002B1EF440000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000E.00000003.312028259.000002B1EF440000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000E.00000003.311819408.000002B1EF460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000003.311935590.000002B1EF45A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000E.00000003.311935590.000002B1EF45A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000003.311935590.000002B1EF45A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000003.311935590.000002B1EF45A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000003.311769035.000002B1EF463000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.312028259.000002B1EF440000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000E.00000003.311819408.000002B1EF460000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000E.00000002.313505141.000002B1EF43C000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000003.289923073.000002B1EF430000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000E.00000002.313505141.000002B1EF43C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000E.00000002.313404338.000002B1EF413000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.313505141.000002B1EF43C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000003.312252438.000002B1EF456000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000003.312252438.000002B1EF456000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000003.289923073.000002B1EF430000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000E.00000003.289923073.000002B1EF430000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000E.00000003.311889347.000002B1EF447000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\1wsm2uXwSY.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\1wsm2uXwSY.exe

Jump to behavior

System Summary:

Yara detected Orcus RAT

Show sources

Source: Yara match	File source: 1wsm2uXwSY.exe, type: SAMPLE
Source: Yara match	File source: 0.2.1wsm2uXwSY.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.1wsm2uXwSY.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.491759765.00000000002F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.220589849.00000000002F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1wsm2uXwSY.exe PID: 6032, type: MEMORYSTR

Malicious sample detected (through community Yara rule)

Show sources

Source: 1wsm2uXwSY.exe, type: SAMPLE	Matched rule: Detects BackNet samples Author: Florian Roth
Source: 1wsm2uXwSY.exe, type: SAMPLE	Matched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
Source: 0.2.1wsm2uXwSY.exe.2f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects BackNet samples Author: Florian Roth
Source: 0.2.1wsm2uXwSY.exe.2f0000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
Source: 0.0.1wsm2uXwSY.exe.2f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects BackNet samples Author: Florian Roth
Source: 0.0.1wsm2uXwSY.exe.2f0000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
Source: 00000000.00000002.491759765.00000000002F2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
Source: 00000000.00000000.220589849.00000000002F2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
Source: Process Memory Space: 1wsm2uXwSY.exe PID: 6032, type: MEMORYSTR	Matched rule: RAT_Orcus Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam

.NET source code contains very large strings

Show sources

Source: 1wsm2uXwSY.exe, Orcus/Config/SettingsData.cs

Long String: Length: 14040

Source: 1wsm2uXwSY.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 1wsm2uXwSY.exe, type: SAMPLE	Matched rule: MAL_BackNet_Nov18_1 date = 2018-11-02, hash1 = 4ce82644eaa1a00cdb6e2f363743553f2e4bd1eddb8bc84e45eda7c0699d9adc, author = Florian Roth, description = Detects BackNet samples, reference = https://github.com/valsov/BackNet
Source: 1wsm2uXwSY.exe, type: SAMPLE	Matched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/
Source: 0.2.1wsm2uXwSY.exe.2f0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_BackNet_Nov18_1 date = 2018-11-02, hash1 = 4ce82644eaa1a00cdb6e2f363743553f2e4bd1eddb8bc84e45eda7c0699d9adc, author = Florian Roth, description = Detects BackNet samples, reference = https://github.com/valsov/BackNet
Source: 0.2.1wsm2uXwSY.exe.2f0000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/
Source: 0.0.1wsm2uXwSY.exe.2f0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_BackNet_Nov18_1 date = 2018-11-02, hash1 = 4ce82644eaa1a00cdb6e2f363743553f2e4bd1eddb8bc84e45eda7c0699d9adc, author = Florian Roth, description = Detects BackNet samples, reference = https://github.com/valsov/BackNet
Source: 0.0.1wsm2uXwSY.exe.2f0000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/
Source: 00000000.00000002.491759765.00000000002F2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/
Source: 00000000.00000000.220589849.00000000002F2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/
Source: Process Memory Space: 1wsm2uXwSY.exe PID: 6032, type: MEMORYSTR	Matched rule: RAT_Orcus date = 2017/01, filetype = memory, author = J from THL <j@techhelplist.com> with thx to MalwareHunterTeam, version = RAT, reference = https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/

Source: C:\Users\user\Desktop\1wsm2uXwSY.exe

File created: C:\Windows\SysWOW64\WindowsInput.exe

Jump to behavior

Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Code function: 0_2_024F76A0	0_2_024F76A0
Source: C:\Windows\SysWOW64\WindowsInput.exe	Code function: 3_2_00007FFAEEE90DA2	3_2_00007FFAEEE90DA2
Source: C:\Windows\SysWOW64\WindowsInput.exe	Code function: 5_2_00007FFAEEEB679A	5_2_00007FFAEEEB679A
Source: C:\Windows\SysWOW64\WindowsInput.exe	Code function: 5_2_00007FFAEEEBC3D0	5_2_00007FFAEEEBC3D0
Source: C:\Windows\SysWOW64\WindowsInput.exe	Code function: 5_2_00007FFAEEEB0A90	5_2_00007FFAEEEB0A90

Source: 1wsm2uXwSY.exe

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameOrcus.Shared.dllB vs 1wsm2uXwSY.exe
Source: 1wsm2uXwSY.exe, 00000000.00000002.515638251.0000000002A32000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamestarksoft.aspen.dllP vs 1wsm2uXwSY.exe
Source: 1wsm2uXwSY.exe, 00000000.00000002.496310243.00000000003D6000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameOrcus.exe vs 1wsm2uXwSY.exe
Source: 1wsm2uXwSY.exe, 00000000.00000002.497489532.0000000000765000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 1wsm2uXwSY.exe
Source: 1wsm2uXwSY.exe, 00000000.00000002.515213538.00000000029C0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameOrcus.Service.exe: vs 1wsm2uXwSY.exe
Source: 1wsm2uXwSY.exe, 00000000.00000002.515213538.00000000029C0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameOrcus.StaticCommands.dllJ vs 1wsm2uXwSY.exe
Source: 1wsm2uXwSY.exe, 00000000.00000002.514919469.0000000002983000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameOrcus.Shared.Utilities.dllN vs 1wsm2uXwSY.exe
Source: 1wsm2uXwSY.exe, 00000000.00000002.518013459.0000000004B50000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameOrcus.Plugins.dll< vs 1wsm2uXwSY.exe
Source: 1wsm2uXwSY.exe	Binary or memory string: OriginalFilenameOrcus.exe vs 1wsm2uXwSY.exe

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Source: Joe Sandbox View

Dropped File: C:\Windows\SysWOW64\WindowsInput.exe 8DBE814359391ED6B0B5B182039008CF1D00964DA9FBC4747F46242A95C24337

Source: 1wsm2uXwSY.exe	Virustotal: Detection: 64%
Source: 1wsm2uXwSY.exe	Metadefender: Detection: 62%
Source: 1wsm2uXwSY.exe	ReversingLabs: Detection: 79%

Source: 1wsm2uXwSY.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\1wsm2uXwSY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1wsm2uXwSY.exe 'C:\Users\user\Desktop\1wsm2uXwSY.exe'
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process created: C:\Windows\SysWOW64\WindowsInput.exe 'C:\Windows\SysWOW64\WindowsInput.exe' --install
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsInput.exe C:\Windows\SysWOW64\WindowsInput.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process created: C:\Windows\SysWOW64\WindowsInput.exe 'C:\Windows\SysWOW64\WindowsInput.exe' --install	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable	Jump to behavior

Source: C:\Users\user\Desktop\1wsm2uXwSY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * FROM WIN32_Processor
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * FROM WIN32_Processor

Source: C:\Windows\SysWOW64\WindowsInput.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WindowsInput.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@18/17@0/2

Source: C:\Users\user\Desktop\1wsm2uXwSY.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: 1wsm2uXwSY.exe, Orcus/Protection/RespawnTask.cs

Task registration methods: 'RegisterRespawnTask'

Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior

Source: 1wsm2uXwSY.exe, Orcus/Config/SettingsData.cs

Base64 encoded string: 'peN6cunGBEtqsDfyLIWu9H9BKFk8jPnnw2tquvty4DhoWS/FFcDYYm5KTaO0APdUB5HuAJya2a4rvC76cS1711dC6iymlR/0zxZgSosnMpS8C1wA8Sn82jBad+UVJgFGoS17UrXvEZDsILTsQVHUcyv19ZlQtrw7OK9Br53Boa0WrJSAuuhQgANZYS8PNQH4D2iDD+7fgExi/1lezWRNFYuggfKOqEr9lTL70AxZe/SOVPq1UbxLHa37kzl9n6zPP+PDhe/QMDuXrmp8CBKdw+IQTgg/O+aZ5jDvRh3C5j1oQMWvz0EPgyCxR5e07QMvPjdagMxk2oHQKb4glzTbAV9jOhm+Dsz2ujLCthVf3IQH/QOdxjrMz0cGUAKJB9fnVfyy4jJs5LCGkzvqSXvaFmmNnth9kymaEvx2NUx6VBeikDxAzI7e5926Y/O8ON+fpZkUV/TyR3H7v1Y+mERLMO5+Z1d+E8IduzUaBjRzUt5vRvAzL2jIPoG02/YM3ceQ+cN3tTeH+Cirz1DAWdH8Kre0zLBqniYgi4oQdZ0rR5zYWVt8xsq2cEH45Qn3X/muiBlQ5EsHRpBQyp8p7BJYe7rdbhrUus9MtXagxrs9pngqFV2RfJZhoYC1TiZFhGx/CvThw2tE9hQte8U+a6m5KT92L8QDNOJ1LLW7uebbNWaBtS7ELzcctRCEZ43Oru3Z3+mpay2/pW5i+ErqdxEmvlgI2rwGWhEL2oO9l2K4wiT3JesmtiJfiZstsTam37rPI3CqpaFITkz8677y27oh7LAyDuS3HVfCWCGSiaqSyeoQJxmo1l+I/UHJRzcOiMaHMceEkozNyndMxVQYzpLkAuxgPJYrCU16fjsSTVg44js59R3nlJ/qBmcwRKY9ndj0svADxA7rG0K2ZIMsewTokmNGHrvx15AuhNoxPzuXtTSPWYPtcBRhETOIbfEcHghHGIeUczOX8qgCflT+9YwHTlL0muGHj3GpLoD7sCgKVdjtTsyWpP8/WU+CPB8yzzK2yJ5grhZ6mULn+qBqVE9fr9EYGu5xoOa0419duvN3i5RPb9Coy0Txvqck7gpotu4ZBU3Tt0JzU19eoF7m8369ZJahZVbzN9PHlnzzZ9F8TUqTv/DEfNQ8b63yHCOa24Nm9j0IzpNPzCSN1rwnM6AWE/d/t0Yaj7o9l1yHv0LW0WI9+cXGlSDZDU39VDIRwwX2+DxOSPevUvz4S3/Ri9bsFftAIYdoF+5UOFpckm+atQQcUGzo1JPq9cXo4vqT582+7uh0p5EQOnMulrcGG9ITk4ex13ouO7D6m27jlqbptcOzxrp3r0gptX11Fr0Zr9atCRrjOMAsj5FqgWob2nx4mooxJX+3bXDUuVb4Vlfn8VPGdFDvT9/v8++mB7WFpaeVJYWIOr4H4Dgwy2JN5ATyQM0Meua95inVeBklpFVRNU5BH0qrMDm//adrKD//mZAczEF8FOtL2CuR2Z26Fn0a1ogZDYklcnb2WWfjmR1MUBt5Rrybufpmd4WJiviUG/6C8h4/EfoxrfHeRICCHKXknZdz6X+im/IhIIpzdMSk6mq65BtI5yGjbu5lMpYLnvwXfn7mXgtKbMix/qQRghCoyZXQqDWu+OFsihFJM3mJf5AF+05hGZJthORgjg3rIzpBHiQE7Zrh+ApKPsi5AEtIp5GQpSS971b6+9OJlmpFpyfR8yHwJTsv2wMjDdAj86kL4xiGViT/2WVdNzhNiQgXkAQokqjfebf8ruCLIrGAHS5hGBz05DUCZacGkfIR4BCXUFr2x0N2AXUj1W2rWUI5gNHgGvmerKkP48yUpAZLZBrtYeaszXc/p6ILCqsAkQwMqk5rDN9a0evfzhVvXjGDwzp1WelQHNhMH6WH0+Uz0NuvRUzXVgOsvbvS2HIUfSQT6nwFwCQvXi3peBcUlZieyONOF1tI3RrQjypWITXDbtbJxZWb/Fi+FS1AqTTtFqV7rySugw4JArIcb2mGeP4wG2Vl+QN/Pi8L3IUvkhyI6xGRgB6YICWyK5oWlcM7KumpLbwXjGvVIMgIa6X5awLzxXfpJZIBfb7JZLgIbwrrq36d1ekINaFTIl2nodovZnZC3qZq9Ufgz8G9nXXpC4xD4x1gL30Hfan3TdG2dA+eEZKQFR2UniE/pHypXK1dFsj2qrcsN6tPjbo3V4cNAPSzig9HFvJiZ81D6+j8/dVT3an5VRF7QaK9eQrHG/VKwUUHva+msgHzsjGQ2/jSHuf2OzZAlzLbGcW6uyAeXy6S/1jAOHCqwUC64lDLLHuUD0r+t08DLRsCkARpGWW1VMrPe1yVUeQWzk0A3HYRRpQiEashLY3cfLFkUwq5lW8qU240NDg/r0MfZbzNylBqxcSwb/P2WCNJoNb3u0JvtRgMzrCf9tMwKehRQSa62VwfAuoj+uvsrO6l28rx9lv8ccvxjKbneCRl3bl4ncJoUFckHIxwQUkAzuxszQHSq+fuYdoXlDEC/o9f/OkVp1lINWUtZ1uE/P7T3ITrX4R9S3bRBejd+rVMoTJpEpY/19aiP3lsZZNq2CCWY4AXKu768J53eS4T8WW+2+yqjZLHqF6p+lFvOSWQ9r+u+N4fOMriM5bwwibUomZ99BxstWvUlx3wJXTVRzysVgi94dq1PbJf5ESK3lHIlv3mG06YVdDBp9Ni7SrWL2Hae2Cn09+mEYVVOX3v+T5+/NY+6QsRXAs1Cuu83V2JkGtpp5/qwxETGMlZi6KA+yaM2bACHN4GUtXQVYL0VwdAPX7u+PyvR9KSsyECEmmkCiR686iRb4RcxXuiAlbMnZf1Tsx5Nb5nXJMmKfGLwm9/rfW/r9P5fYK8Ww/etWMeHQ3DwAK76jMQwrMz6cNgNO3GzZschKGtf7IcntWbZpkCV5Za5cdblCAm+AXbqBse9lXpsHwUr3S6tebaUpEedNjC6Ynn6qcs8K5vdMDLfha0PdpuuePP0Z98MFcHM0CQvByR/bj

Source: C:\Windows\SysWOW64\WindowsInput.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5552:120:WilError_01
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Mutant created: \Sessions\1\BaseNamedObjects\e744d5f8bc5b44fcae386e2debf8200e

Source: WindowsInput.exe	String found in binary or memory: --install
Source: WindowsInput.exe	String found in binary or memory: --install
Source: 1wsm2uXwSY.exe	String found in binary or memory: $this.Icon-InstallationPromptForm
Source: 1wsm2uXwSY.exe	String found in binary or memory: --install
Source: 1wsm2uXwSY.exe	String found in binary or memory: /keepAlive?/launchSelfAndExit "{0}" {1}{2}

Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\1wsm2uXwSY.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 1wsm2uXwSY.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 1wsm2uXwSY.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Features\Orcus.Service\obj\Release\Orcus.Service.pdblf source: 1wsm2uXwSY.exe, 00000000.00000002.515213538.00000000029C0000.00000004.00000001.sdmp, WindowsInput.exe, 00000003.00000000.226049010.0000000000B52000.00000002.00020000.sdmp, WindowsInput.exe, 00000005.00000002.491758825.0000000000462000.00000002.00020000.sdmp, WindowsInput.exe.0.dr
Source:	Binary string: D:\Dokumente\GitHub\starksoft-aspen\Starksoft.Aspen\obj\Release\starksoft.aspen.pdb source: 1wsm2uXwSY.exe, 00000000.00000002.515638251.0000000002A32000.00000004.00000001.sdmp
Source:	Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.StaticCommands\obj\Release\Orcus.StaticCommands.pdb source: 1wsm2uXwSY.exe, 00000000.00000002.515213538.00000000029C0000.00000004.00000001.sdmp
Source:	Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Features\Orcus.Service\obj\Release\Orcus.Service.pdb source: WindowsInput.exe, WindowsInput.exe.0.dr
Source:	Binary string: D:\Dokumente\GitHub\starksoft-aspen\Starksoft.Aspen\obj\Release\starksoft.aspen.pdbL source: 1wsm2uXwSY.exe, 00000000.00000002.515638251.0000000002A32000.00000004.00000001.sdmp
Source:	Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.Shared.Utilities\obj\Release\Orcus.Shared.Utilities.pdb source: 1wsm2uXwSY.exe, 00000000.00000002.514919469.0000000002983000.00000004.00000001.sdmp
Source:	Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.Plugins\obj\Release\Orcus.Plugins.pdb source: 1wsm2uXwSY.exe, 00000000.00000002.518013459.0000000004B50000.00000004.00020000.sdmp
Source:	Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.Shared\obj\Release\Orcus.Shared.pdb source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmp
Source:	Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.Shared\obj\Release\Orcus.Shared.pdbDr source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmp
Source:	Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.Plugins\obj\Release\Orcus.Plugins.pdbD source: 1wsm2uXwSY.exe, 00000000.00000002.518013459.0000000004B50000.00000004.00020000.sdmp

Data Obfuscation:

Yara detected Costura Assembly Loader

Show sources

Source: Yara match

File source: Process Memory Space: 1wsm2uXwSY.exe PID: 6032, type: MEMORYSTR

.NET source code contains potential unpacker

Show sources

Source: 1wsm2uXwSY.exe, Orcus/Plugins/PluginLoader.cs	.Net Code: LoadPlugins System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1wsm2uXwSY.exe, Orcus/Plugins/PluginLoader.cs	.Net Code: LoadPlugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Code function: 0_2_024FC60B push ebx; iretd	0_2_024FC612
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Code function: 0_2_024FC607 push ebx; iretd	0_2_024FC60A
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Code function: 0_2_024FC6A0 push esp; iretd	0_2_024FC6A2
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Code function: 0_2_024FC4D9 push ebx; iretd	0_2_024FC4DA
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Code function: 0_2_024FC4AB push ebx; iretd	0_2_024FC4B2
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Code function: 0_2_024FC4A9 push ebx; iretd	0_2_024FC4AA
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Code function: 0_2_024FC578 push ebx; iretd	0_2_024FC57A
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Code function: 0_2_024FEA70 pushfd ; iretd	0_2_024FEA72
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Code function: 0_2_024FEA8F pushfd ; iretd	0_2_024FEA9A
Source: C:\Windows\SysWOW64\WindowsInput.exe	Code function: 3_2_00B56528 push rbx; ret	3_2_00B5652C
Source: C:\Windows\SysWOW64\WindowsInput.exe	Code function: 5_2_00466528 push rbx; ret	5_2_0046652C

Source: initial sample

Static PE information: section name: .text entropy: 7.16143211782

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Users\user\Desktop\1wsm2uXwSY.exe

Executable created and started: C:\Windows\SysWOW64\WindowsInput.exe

Jump to behavior

Source: C:\Users\user\Desktop\1wsm2uXwSY.exe

File created: C:\Windows\SysWOW64\WindowsInput.exe

Jump to dropped file

Source: C:\Users\user\Desktop\1wsm2uXwSY.exe

File created: C:\Windows\SysWOW64\WindowsInput.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsInput.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Jump to behavior

Source: C:\Users\user\Desktop\1wsm2uXwSY.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 2328	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 2332	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6176	Thread sleep count: 689 > 30	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6176	Thread sleep count: 9145 > 30	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -299812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -299702s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -299590s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -299484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -299373s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -299234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -299125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -299015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -298906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -298796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -298687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -298577s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -298468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -298325s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -298218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -298109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -297996s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -297889s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -297777s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -297671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -297562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -297453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -297343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -297234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -297124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -297004s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -296859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -296749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -296640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -296531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -296421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -296312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -296202s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -296093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -295983s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -295874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -295765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -295655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -295546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -295437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -295327s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -295218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -295109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -294999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -294890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -294780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -294671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -294561s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 6180	Thread sleep time: -294452s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe TID: 2328	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe TID: 2796	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe TID: 3924	Thread sleep count: 174 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe TID: 3924	Thread sleep count: 285 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 592	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 299812	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 299702	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 299590	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 299484	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 299373	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 299234	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 299125	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 299015	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 298906	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 298796	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 298687	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 298577	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 298468	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 298325	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 298218	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 298109	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 297996	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 297889	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 297777	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 297671	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 297562	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 297453	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 297343	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 297234	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 297124	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 297004	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 296859	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 296749	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 296640	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 296531	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 296421	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 296312	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 296202	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 296093	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 295983	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 295874	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 295765	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 295655	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 295546	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 295437	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 295327	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 295218	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 295109	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 294999	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 294890	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 294780	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 294671	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 294561	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 294452	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Window / User API: threadDelayed 689			Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Window / User API: threadDelayed 9145			Jump to behavior

Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * FROM WIN32_Processor
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * FROM WIN32_Processor

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 299812	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 299702	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 299590	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 299484	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 299373	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 299234	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 299125	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 299015	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 298906	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 298796	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 298687	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 298577	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 298468	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 298325	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 298218	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 298109	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 297996	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 297889	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 297777	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 297671	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 297562	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 297453	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 297343	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 297234	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 297124	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 297004	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 296859	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 296749	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 296640	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 296531	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 296421	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 296312	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 296202	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 296093	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 295983	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 295874	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 295765	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 295655	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 295546	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 295437	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 295327	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 295218	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 295109	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 294999	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 294890	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 294780	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 294671	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 294561	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 294452	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: 1wsm2uXwSY.exe, 00000000.00000002.508689788.0000000002711000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: svchost.exe, 00000007.00000002.506634548.000002B014862000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAW
Source: 1wsm2uXwSY.exe, 00000000.00000002.508689788.0000000002711000.00000004.00000001.sdmp	Binary or memory string: vmicshutdown
Source: 1wsm2uXwSY.exe, 00000000.00000002.508689788.0000000002711000.00000004.00000001.sdmp	Binary or memory string: m$Hyper-V Volume Shadow Copy Requestor
Source: 1wsm2uXwSY.exe, 00000000.00000002.508689788.0000000002711000.00000004.00000001.sdmp	Binary or memory string: m-Hyper-V Remote Desktop Virtualization Service
Source: 1wsm2uXwSY.exe, 00000000.00000002.508689788.0000000002711000.00000004.00000001.sdmp	Binary or memory string: m$Hyper-V Time Synchronization Service
Source: 1wsm2uXwSY.exe, 00000000.00000002.508689788.0000000002711000.00000004.00000001.sdmp	Binary or memory string: vmicvss
Source: 1wsm2uXwSY.exe, 00000000.00000003.239825683.0000000005883000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.506197939.000002B01484C000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000A.00000002.494031327.0000024774202000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: 1wsm2uXwSY.exe, 00000000.00000002.508689788.0000000002711000.00000004.00000001.sdmp	Binary or memory string: m!Hyper-V PowerShell Direct Service
Source: 1wsm2uXwSY.exe, 00000000.00000002.508689788.0000000002711000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: 1wsm2uXwSY.exe, 00000000.00000002.508689788.0000000002711000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: 1wsm2uXwSY.exe, 00000000.00000002.508689788.0000000002711000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: 1wsm2uXwSY.exe, 00000000.00000002.508689788.0000000002711000.00000004.00000001.sdmp	Binary or memory string: vmicheartbeat
Source: WindowsInput.exe, 00000005.00000002.508170832.0000000019F93000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.494859365.0000024774229000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.495717491.000001A6DAC3E000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.495176321.000001F36C629000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\1wsm2uXwSY.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\1wsm2uXwSY.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Show sources

Source: 1wsm2uXwSY.exe, Orcus/Native/NativeMethods.cs

Reference to suspicious API methods: ('OpenProcessToken', 'OpenProcessToken@advapi32'), ('LoadLibrary', 'LoadLibrary@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')

Source: C:\Users\user\Desktop\1wsm2uXwSY.exe

Process created: C:\Windows\SysWOW64\WindowsInput.exe 'C:\Windows\SysWOW64\WindowsInput.exe' --install

Jump to behavior

Source: 1wsm2uXwSY.exe, 00000000.00000002.505527637.0000000001060000.00000002.00020000.sdmp, svchost.exe, 0000000C.00000002.498139826.000001D966390000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: 1wsm2uXwSY.exe, 00000000.00000002.515865320.0000000002A6A000.00000004.00000001.sdmp	Binary or memory string: Program ManagerD
Source: 1wsm2uXwSY.exe	Binary or memory string: Shell_TrayWnd
Source: 1wsm2uXwSY.exe, 00000000.00000002.505527637.0000000001060000.00000002.00020000.sdmp, svchost.exe, 0000000C.00000002.498139826.000001D966390000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: 1wsm2uXwSY.exe	Binary or memory string: ProgMan
Source: 1wsm2uXwSY.exe, 00000000.00000002.505527637.0000000001060000.00000002.00020000.sdmp, svchost.exe, 0000000C.00000002.498139826.000001D966390000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Queries volume information: C:\Users\user\Desktop\1wsm2uXwSY.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1wsm2uXwSY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Queries volume information: C:\Windows\SysWOW64\WindowsInput.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Queries volume information: C:\Windows\SysWOW64\WindowsInput.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsInput.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\1wsm2uXwSY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Contains functionality to disable the Task Manager (.Net Source)

Show sources

Source: 1wsm2uXwSY.exe, Orcus/Commands.FunActions/WindowsModules.cs

.Net Code: SetTaskManager

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: svchost.exe, 00000010.00000002.496095160.0000012536F02000.00000004.00000001.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation21	Windows Service1	Windows Service1	Masquerading121	Input Capture11	Query Registry1	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter2	Scheduled Task/Job1	Process Injection12	Disable or Modify Tools21	LSASS Memory	Security Software Discovery141	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scheduled Task/Job1	DLL Side-Loading1	Scheduled Task/Job1	Virtualization/Sandbox Evasion41	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Native API1	Logon Script (Mac)	DLL Side-Loading1	Process Injection12	NTDS	Virtualization/Sandbox Evasion41	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information21	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing11	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery23	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
1wsm2uXwSY.exe	65%	Virustotal		Browse
1wsm2uXwSY.exe	63%	Metadefender		Browse
1wsm2uXwSY.exe	80%	ReversingLabs	ByteCode-MSIL.Trojan.Orcus
1wsm2uXwSY.exe	100%	Avira	HEUR/AGEN.1128549
1wsm2uXwSY.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\SysWOW64\WindowsInput.exe	100%	Avira	TR/Agent.zgvcy
C:\Windows\SysWOW64\WindowsInput.exe	70%	Metadefender		Browse
C:\Windows\SysWOW64\WindowsInput.exe	87%	ReversingLabs	ByteCode-MSIL.Trojan.Skeeyah

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.1wsm2uXwSY.exe.2f0000.0.unpack	100%	Avira	HEUR/AGEN.1128549	Download File
5.0.WindowsInput.exe.460000.0.unpack	100%	Avira	HEUR/AGEN.1134657	Download File
0.0.1wsm2uXwSY.exe.2f0000.0.unpack	100%	Avira	HEUR/AGEN.1128549	Download File
5.2.WindowsInput.exe.460000.0.unpack	100%	Avira	HEUR/AGEN.1134657	Download File
3.0.WindowsInput.exe.b50000.0.unpack	100%	Avira	HEUR/AGEN.1134657	Download File
3.2.WindowsInput.exe.b50000.0.unpack	100%	Avira	HEUR/AGEN.1134657	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://tempuri.org/IServicePipe/GetPathResponse	0%	Avira URL Cloud	safe
http://schemas.datacontract.org	0%	URL Reputation	safe
http://tempuri.org/IServicePipe/GetRegistryValues	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/CreateValue	0%	Avira URL Cloud	safe
http://tempuri.org/	2%	Virustotal		Browse
http://tempuri.org/	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/IsAlive	0%	Avira URL Cloud	safe
http://crl.startssl.com/sfsca.crl0f	0%	URL Reputation	safe
http://tempuri.org/IServiceP$	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/System.ServiceProcess	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/DeleteValueResponse	0%	Avira URL Cloud	safe
http://tempuri.org/IServiceP(	0%	Avira URL Cloud	safe
http://tempuri.org/:NetNamedPipeBinding	0%	Avira URL Cloud	safe
http://crl.startssl.com/sca-code3.crl0#	0%	URL Reputation	safe
http://tempuri.org/IServicePipe/GetSecurityEventLogResponse	0%	Avira URL Cloud	safe
http://tempuri.org/IServiceP	0%	Avira URL Cloud	safe
http://tempuri.org/IServiceP0	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/IsAliveResponse	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/DeleteSubKeyResponse	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/GetSecurityEventLog	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/StartProcessom	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/	0%	URL Reputation	safe
http://tempuri.org/IServicePipe/CreateSubKeyResponse	0%	Avira URL Cloud	safe
http://crl.ver)	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/DeleteValue	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/GetRegistrySubKeys	0%	Avira URL Cloud	safe
http://tempuri.org/IServiceP8	0%	Avira URL Cloud	safe
http://www.startssl.com/policy0	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
http://tempuri.org/IServicePipe/StartProcess	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/GetRegistryValuesResponse	0%	Avira URL Cloud	safe
http://www.startssl.com/0P	0%	URL Reputation	safe
http://tempuri.org/lJ)	0%	Avira URL Cloud	safe
http://tempuri.org/IServicePipe/DeleteSubKey	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultP	WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://tempuri.org/IServicePipe/GetPathResponse	1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.datacontract.org	1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmp, WindowsInput.exe, 00000003.00000002.230271529.0000000002E11000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.504197637.000000000143B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 0000000E.00000002.313505141.000002B1EF43C000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://tempuri.org/IServicePipe/GetRegistryValues	1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn	1wsm2uXwSY.exe, 00000000.00000002.512127698.000000000280F000.00000004.00000001.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 0000000E.00000003.311889347.000002B1EF447000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 0000000E.00000003.311819408.000002B1EF460000.00000004.00000001.sdmp	false		high
http://tempuri.org/IServicePipe/CreateValue	1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org/I(.	1wsm2uXwSY.exe	false		high
http://tempuri.org/	1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://tempuri.org/IServicePipe/IsAlive	1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anon	1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 0000000E.00000003.311935590.000002B1EF45A000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://crl.startssl.com/sfsca.crl0f	1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/IServiceP$	1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/System.ServiceProcess	WindowsInput.exe, 00000003.00000002.230271529.0000000002E11000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IServicePipe/DeleteValueResponse	1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://tempuri.org/IServiceP(	1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 0000000E.00000003.312028259.000002B1EF440000.00000004.00000001.sdmp	false		high
http://tempuri.org/:NetNamedPipeBinding	WindowsInput.exe, 00000005.00000002.504197637.000000000143B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://crl.startssl.com/sca-code3.crl0#	1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/IServicePipe/GetSecurityEventLogResponse	1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IServiceP	1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IServiceP0	1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
https://appexmapsappupdate.blob.core.windows.net	svchost.exe, 0000000E.00000003.311819408.000002B1EF460000.00000004.00000001.sdmp	false		high
http://tempuri.org/IServicePipe/IsAliveResponse	1wsm2uXwSY.exe, 00000000.00000002.512127698.000000000280F000.00000004.00000001.sdmp, 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.505312254.00000000014AB000.00000004.00000001.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 0000000E.00000002.313404338.000002B1EF413000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://tempuri.org/IServicePipe/DeleteSubKeyResponse	1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IServicePipe/GetSecurityEventLog	1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 0000000E.00000003.312252438.000002B1EF456000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	1wsm2uXwSY.exe, 00000000.00000002.508689788.0000000002711000.00000004.00000001.sdmp	false		high
http://tempuri.org/IServicePipe/StartProcessom	1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/	1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000003.00000002.230271529.0000000002E11000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.504197637.000000000143B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/sc	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 0000000E.00000002.313505141.000002B1EF43C000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://tempuri.org/IServicePipe/CreateSubKeyResponse	1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.ver)	svchost.exe, 00000007.00000002.505224674.000002B014814000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://tempuri.org/IServicePipe/DeleteValue	1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IServicePipe/GetRegistrySubKeys	1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://tempuri.org/IServiceP8	1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.startssl.com/policy0	1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 0000000E.00000002.313404338.000002B1EF413000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.313505141.000002B1EF43C000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 0000000B.00000002.495717491.000001A6DAC3E000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 0000000E.00000003.311819408.000002B1EF460000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000E.00000003.289923073.000002B1EF430000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	false		high
https://dynamic.t	svchost.exe, 0000000E.00000003.311769035.000002B1EF463000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.312028259.000002B1EF440000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/IServicePipe/StartProcess	1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IServicePipe/GetRegistryValuesResponse	1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.startssl.com/0P	1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 0000000E.00000003.311819408.000002B1EF460000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	1wsm2uXwSY.exe, 00000000.00000002.508689788.0000000002711000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://tempuri.org/lJ)	1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/trust	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 0000000E.00000003.311935590.000002B1EF45A000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://tempuri.org/IServicePipe/DeleteSubKey	1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	1wsm2uXwSY.exe, 00000000.00000002.512127698.000000000280F000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 0000000E.00000003.311935590.000002B1EF45A000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 0000000E.00000003.311819408.000002B1EF460000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
136.144.41.171	unknown	Netherlands		49981	WORLDSTREAMNL	true

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	483751
Start date:	15.09.2021
Start time:	12:49:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	1wsm2uXwSY.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@18/17@0/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.3% (good quality ratio 0.3%) Quality average: 42.3% Quality standard deviation: 11.8%
HCA Information:	Successful, ratio: 98% Number of executed functions: 17 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220, 23.55.161.147, 23.55.161.166, 23.55.161.156, 23.55.161.160, 23.55.161.150, 23.55.161.169, 23.55.161.143, 23.55.161.161, 23.55.161.144, 23.35.236.56, 20.50.102.62, 40.112.88.60, 23.216.77.209, 23.216.77.208, 20.82.210.154 Excluded domains from analysis (whitelisted): fs.microsoft.com, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:50:18	API Interceptor	824x Sleep call for process: 1wsm2uXwSY.exe modified
12:50:27	API Interceptor	2x Sleep call for process: svchost.exe modified
12:51:45	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
WORLDSTREAMNL	INVOICE = 212888585 .xlsx	Get hash	malicious	Browse	136.144.41.96
	zoD4YzpMMG	Get hash	malicious	Browse	89.39.104.0
	RFQ 13787.xlsx	Get hash	malicious	Browse	136.144.41.96
	jPxSe1Y8HV.exe	Get hash	malicious	Browse	80.66.87.32
	9c2NwBeaMN.exe	Get hash	malicious	Browse	185.177.125.94
	9gS8VdUFK6.apk	Get hash	malicious	Browse	89.39.105.16
	7ErW9gaqY2.exe	Get hash	malicious	Browse	185.177.125.94
	wJtL8lkk83.exe	Get hash	malicious	Browse	185.177.125.94
	AMxo8mW9BE.exe	Get hash	malicious	Browse	80.66.87.32
	Sy5c0DbxMw.exe	Get hash	malicious	Browse	80.66.87.32
	kj1CaURZbn.exe	Get hash	malicious	Browse	185.177.125.94
	7liS1YWCOy.exe	Get hash	malicious	Browse	185.177.125.94
	da6332feebc2a530509de0c661231bbd427327c31d660.exe	Get hash	malicious	Browse	185.177.125.94
	hhXB3QLUty.exe	Get hash	malicious	Browse	185.177.125.94
	9c9cdb438163a2e64adcb398a6f1f1abcdc81c1cf35ab.exe	Get hash	malicious	Browse	185.177.125.94
	2qE9TLzYDn.exe	Get hash	malicious	Browse	185.177.125.94
	BIbA1NbNKy.exe	Get hash	malicious	Browse	185.177.125.94
	U7986HO2mg.exe	Get hash	malicious	Browse	185.177.125.94
	dJy1bkJwEW	Get hash	malicious	Browse	178.132.6.150
	ACDC44F3C8B2B8B12A3E396A3D9F5D353D17DAB46B0E7.exe	Get hash	malicious	Browse	136.144.41.201

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Windows\SysWOW64\WindowsInput.exe	iRLW5wwrfn.exe	Get hash	malicious	Browse
	1RX6Qzn7bl.exe	Get hash	malicious	Browse
	O83wubYGMU.exe	Get hash	malicious	Browse
	ax1n5PdVg4.exe	Get hash	malicious	Browse
	X6ljOJLLDo.exe	Get hash	malicious	Browse
	8GxLojRybe.exe	Get hash	malicious	Browse
	n9Mxt7RRsd.exe	Get hash	malicious	Browse
	BEM6oSoge6.exe	Get hash	malicious	Browse
	tv2s1L9ggR.exe	Get hash	malicious	Browse
	eAb51g16kK.exe	Get hash	malicious	Browse
	TIJYYlYJpv.exe	Get hash	malicious	Browse
	glk3M5FU5d.exe	Get hash	malicious	Browse
	uptkFVzchM.exe	Get hash	malicious	Browse
	51JDkLqWt1.exe	Get hash	malicious	Browse
	3E40414D3D75B88373027C33BBE22E90A6EF7FDF7C98B.exe	Get hash	malicious	Browse
	NdiW4xIPPL.exe	Get hash	malicious	Browse
	lKAM6YnGl8.exe	Get hash	malicious	Browse
	eENtfPFNcE.exe	Get hash	malicious	Browse
	VZH2Mrlq0e.exe	Get hash	malicious	Browse
	rVKZtqxF35.exe	Get hash	malicious	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.596912552794713
Encrypted:	false
SSDEEP:	6:0FAek1GaD0JOCEfMuaaD0JOCEfMKQmDA7tAl/gz2cE0fMbhEZolrRSQ2hyYIIT:0yNGaD0JcaaD0JwQQA7tAg/0bjSQJ
MD5:	EBCDF53FB225D0F68C66311441EC3727
SHA1:	66E7691B5D9FA1ACB381F3C3AF3CDFBA4B5ACF91
SHA-256:	680C1A77E5F6674CF46158852CC316A63F68715BF5BEA75C4487E381854A1F2F
SHA-512:	01B3E0FAE9CBA1349978F6C7B7E64B39D0F4E1F64E5CCAE1DF718A1BBEACE7534027B7572A817637F1B74BFE8CBC5F0D7718757E75E49C2CCE3AFE2F78641398
Malicious:	false
Preview:	......:{..(......2...y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................2...y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x4c610639, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.09517970658208089
Encrypted:	false
SSDEEP:	6:xKXzwl/+t9lsRIE11Y8TRXwFq4MJ6K7KXzwl/+t9lsRIE11Y8TRXwFq4MJ6K:MX0+XlsO4blrsKOX0+XlsO4blrsK
MD5:	4DC5DE4B778C6BE24A4D5DAC46886A4D
SHA1:	EFA7C2172CE8C766E89F46E0F638C39CBB96E777
SHA-256:	FA537DB4F23D2BD8D2EDE283ED656F6B1AB9AB4AA5A2CF4C5955A3184329B723
SHA-512:	9C4575835768DEEC535A1A85BDE5FE5DD934E6E6DDF1E0A9048F450CDFEA32442397D396E66511A3DD169E6D200323E2A341B3B95CA147889CDE6C02C22D8C18
Malicious:	false
Preview:	La.9... ................e.f.3...w........................&..........w...2...y?.h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w..........................................................................................................................................................................................................................................2...y?a..................;n.2...y?.........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.10909264935176838
Encrypted:	false
SSDEEP:	3:EbmtTEv5W2Jl/bJdAtiu8tYll:642Jt4W2
MD5:	F8CD1C4E4201E93D3E9575276978BDD6
SHA1:	7CB577F2432111107DC500465854DC485D155E87
SHA-256:	ADB6ED51A2D53CFA1B03D686F745037389A77FF77A63582CB8E8C28CB1937E4B
SHA-512:	437B71B1A5DEC71F079ACF2E1F75229ED33E7114E330496B39687595B65DE1C9BC9E558F3DB6774F2A5717B3FBE851CB6AE66223FC6678DDA0863E0D52DBE877
Malicious:	false
Preview:	.CM......................................3...w...2...y?......w...............w.......w....:O.....w....................;n.2...y?.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\user\Desktop\1wsm2uXwSY.exe
File Type:	Microsoft Cabinet archive data, 61156 bytes, 1 file
Category:	dropped
Size (bytes):	61156
Entropy (8bit):	7.995777164206378
Encrypted:	true
SSDEEP:	1536:QnktbzAsvtoyRC5FLNPj1tHqn+ZQgYXAMxCbGMRa0HMSeWAM6J:0ktH7toVNPj1Vi++xQFaM7siAJ
MD5:	392C95F4B10F4100D7286E3054CF0157
SHA1:	6CE671B4084D156FD87E2412B8AA36155F11D221
SHA-256:	6B3CFDC61B3D2B19D972299CE9C6CAD0804457152AA22E9FC5544C68FA139240
SHA-512:	82E1E076E10DB3FD8FEA92C6465F360602F57B56D578F1BF7708CE59D986BEE6291B21AAB43574DF61962687473834514575110B48AFCA1DA221FE84C6126AA2
Malicious:	false
Preview:	MSCF............,...................I........t.........SK\ .authroot.stl.<.U..5..CK..8T....c_.d....A.F....Y.M$[v.4.)%%...$).^...%..-QQ....L.2....u..g..;.{x...... .tA-...c.b..1.tY..o...t....ag`v.5...0.........r.......w.? O."l.,_...t.8Lkr..E.C..JxD...WWVRQ.03..q`.....x$....j...8C........n7R....,G...WVO<.....m.P..@.Wu.?. .V..`.Y...CDg./.s.\..t......Ieiu..D$g....8..(g..tj......,V)v/r.d.].xqX4.....s.....&6L?..+y-ps...e..B(.q._..aC.h....@~P .6CA.(d.F~...D.kA....\....`0..w... (.. .Q.....g.....)......z&.8r.....&..49r=.N...f.0.9`6.......3b.....:l.g.O.......Mqu.,...@.7Z..,....FS..;.....>.:".........k%.H.~......KEQ.V..p..Y.............q.c.0..V.T...Z..rT..I..d?\.TsI...hn1?.4N...~...................h,....y...0.X.jz.8.y,k).....>B..v.......9.\|&z$.+...Sl..F k....Js........ExFc.k.........Y........]..[.5..:...,kV?D....M........ZG..[....wZ.O...P=..u.t...Z.q...r.A?M..;..6..B9.(..!..\.:K`.....-\|'.3&.....;.t.I.h......1.....eC....^.7..P.u.L{.Ew.@"...d....^

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\user\Desktop\1wsm2uXwSY.exe
File Type:	data
Category:	modified
Size (bytes):	330
Entropy (8bit):	3.1328030336363
Encrypted:	false
SSDEEP:	6:kK2x3dN+SkQlPlEGYRMY9z+4KlDA3RUe+edlwzTW0:eEkPlE99SNxAhUek60
MD5:	72D6FCA5AD0ADA7FF977C1ED4AD181ED
SHA1:	F0E04752184864F6BF25585C5100B09F10E1572C
SHA-256:	A1295ED9961CEF82FFD770C4813EAAC56C4C4364E6B22B0BB9C5322459591239
SHA-512:	032696958CE64C1EF7DD96610F36F25F1E305B1951580A4D0FD2A690AB85A5B6D5EA0638DC581D53FD650DC65CC586C70650CFA5CC0FE8DE21786E679D94CED0
Malicious:	false
Preview:	p...... ........h.6.j...(....................................................... ..........u.......(...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".8.0.a.0.9.e.7.5.c.d.9.2.d.7.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WindowsInput.exe.log Download File
Process:	C:\Windows\SysWOW64\WindowsInput.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2185
Entropy (8bit):	5.360880263611341
Encrypted:	false
SSDEEP:	48:MxHKU8mHD084IHT66YHKGD8AoPtHTG1hAHKKPWHK71qHGiD0HKeG6HKmTH3:iqESIz66YqGgAoPtzG1eqKPWq7wmI0qa
MD5:	A89E2A3BE05E2CBBED73AEBBEA14561D
SHA1:	70B7484AF6D2CE8F0CB6663180DAD2358C8EECF8
SHA-256:	BCE7F21C447553268089CA196CEDAC85399F910A53C4C71B30F4EEF72268884C
SHA-512:	F8612815DDCEFCA1CAA77D3797D29717BA3F7BC3CC1D9806D01C42378612288E084CE68E28988B23114CF2F0F3825502A1877D5F8DC09C42FE6614DC430079EA
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\5c7518ffedb9bd37c8630ebeecde284a\System.ServiceProcess.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\b7f41bbfe8914f994b68b89a23570901\System.Configuration.Install.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\a

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11022563403621521
Encrypted:	false
SSDEEP:	12:26TXm/Ey6q9995wiq3qQ10nMCldimE8eawHjcR:26Kl68+LyMCldzE9BHjcR
MD5:	5E400C2DA7C24C84554AA32D23BB25BD
SHA1:	8C4286DDE5156DD1FA618C03A8D47C9076281CE3
SHA-256:	3B90419CB2269083A04388285BADDA7E6F0C22AF16BE8608C022FF5DFB225C01
SHA-512:	DC1BBDA9428B71DC0C115BD56399555A4663C0D192A5ACA341C89CE3C71C075288F169A1C8CB00D0B949A9B9413EC656D406345711AFDABF5BCB2351471B4E0B
Malicious:	false
Preview:	................................................................................4.......Y.d......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................M,.T*..... .....X(..j...........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.4.......d.d.....................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11285300616842073
Encrypted:	false
SSDEEP:	12:fLXm/Ey6q9995wO1miM3qQ10nMCldimE8eawHza1miIqw:al68L1tMLyMCldzE9BHza1tIqw
MD5:	1D1C1F3573EF02A9B21FC7992F4431A7
SHA1:	CCF11511B438586873DD54F1A5D549F705C17963
SHA-256:	053CF112EEE1F028E0E21E11D9DDBF94378CE24565C892FA2783504589C9B648
SHA-512:	909123B28FC478F2953AA1E27A3C8EF1FE0CAFDE89E2852D546EF3AEC87B0687BA37DB5DC05EC4A382C34D6FEC210DD6560063D8BEA808E03F13EA9A63DE1F32
Malicious:	false
Preview:	................................................................................4........Tb......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................M,.T*..... .....!..j...........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.4.......A]b.....................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11291881060332332
Encrypted:	false
SSDEEP:	12:tXm/Ey6q9995w81mK2P3qQ10nMCldimE8eawHza1mK2:Ql68h1iPLyMCldzE9BHza1S
MD5:	E247C65B10C09BB21CDD05EAF4D650B7
SHA1:	F9F9F327A999FFA6A31708E6D3BCF329F06EBEFE
SHA-256:	412E7C540D118EF24FE6787FCFE62112D46BC0C84562B0373459CBEDE2E4E13B
SHA-512:	B19DCFCC9B6F1D5D714403728D24669E3932B7EEC79FBEE369009A1E74770CC2862920B5059C2F91372723E64FED612F8D93BAFE765AAB653E47BA157213E853
Malicious:	false
Preview:	................................................................................4.......!.`......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................M,.T*..... ......R..j...........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.4.......].`.....................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl.0001 (copy) Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11022563403621521
Encrypted:	false
SSDEEP:	12:26TXm/Ey6q9995wiq3qQ10nMCldimE8eawHjcR:26Kl68+LyMCldzE9BHjcR
MD5:	5E400C2DA7C24C84554AA32D23BB25BD
SHA1:	8C4286DDE5156DD1FA618C03A8D47C9076281CE3
SHA-256:	3B90419CB2269083A04388285BADDA7E6F0C22AF16BE8608C022FF5DFB225C01
SHA-512:	DC1BBDA9428B71DC0C115BD56399555A4663C0D192A5ACA341C89CE3C71C075288F169A1C8CB00D0B949A9B9413EC656D406345711AFDABF5BCB2351471B4E0B
Malicious:	false
Preview:	................................................................................4.......Y.d......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................M,.T*..... .....X(..j...........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.4.......d.d.....................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl.0001 (copy) Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11285300616842073
Encrypted:	false
SSDEEP:	12:fLXm/Ey6q9995wO1miM3qQ10nMCldimE8eawHza1miIqw:al68L1tMLyMCldzE9BHza1tIqw
MD5:	1D1C1F3573EF02A9B21FC7992F4431A7
SHA1:	CCF11511B438586873DD54F1A5D549F705C17963
SHA-256:	053CF112EEE1F028E0E21E11D9DDBF94378CE24565C892FA2783504589C9B648
SHA-512:	909123B28FC478F2953AA1E27A3C8EF1FE0CAFDE89E2852D546EF3AEC87B0687BA37DB5DC05EC4A382C34D6FEC210DD6560063D8BEA808E03F13EA9A63DE1F32
Malicious:	false
Preview:	................................................................................4........Tb......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................M,.T*..... .....!..j...........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.4.......A]b.....................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl.0001.. (copy) Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11291881060332332
Encrypted:	false
SSDEEP:	12:tXm/Ey6q9995w81mK2P3qQ10nMCldimE8eawHza1mK2:Ql68h1iPLyMCldzE9BHza1S
MD5:	E247C65B10C09BB21CDD05EAF4D650B7
SHA1:	F9F9F327A999FFA6A31708E6D3BCF329F06EBEFE
SHA-256:	412E7C540D118EF24FE6787FCFE62112D46BC0C84562B0373459CBEDE2E4E13B
SHA-512:	B19DCFCC9B6F1D5D714403728D24669E3932B7EEC79FBEE369009A1E74770CC2862920B5059C2F91372723E64FED612F8D93BAFE765AAB653E47BA157213E853
Malicious:	false
Preview:	................................................................................4.......!.`......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................M,.T*..... ......R..j...........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.4.......].`.....................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	data
Category:	modified
Size (bytes):	906
Entropy (8bit):	3.1376849231203545
Encrypted:	false
SSDEEP:	12:58KRBubdpkoF1AG3rlsQlw3IyClKwZk9+MlWlLehB4yAq7ejCEsQlw3IyClKQI:OaqdmuF3rlp+zw++kWReH4yJ7MNp+zQI
MD5:	FE790FD972A28049249653BF62BCC5F8
SHA1:	35C2E866B46E975C732897A1C741DD77EBB934B3
SHA-256:	85D43FCDFC3592B2D674803C8802DDEB58F03958981DC4C2E96C72523329998D
SHA-512:	168A8B56F139CFE84CE858FD01F3A0743BAB22DEE74F35B428F0A69D6148D63D3F2627C3F18EC3D6B533DB2162B147105029501FB015521472DC6CE8D5B1DC18
Malicious:	false
Preview:	........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. W.e.d. .. S.e.p. .. 1.5. .. 2.0.2.1. .1.2.:.5.1.:.4.5.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. W.e.d. .. S.e.p. .. 1.5. .. 2.0.2.1. .1.2.:.5.1.:.4.5.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

C:\Windows\SysWOW64\WindowsInput.InstallState Download File
Process:	C:\Windows\SysWOW64\WindowsInput.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	7466
Entropy (8bit):	5.1606801095705865
Encrypted:	false
SSDEEP:	96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
MD5:	362CE475F5D1E84641BAD999C16727A0
SHA1:	6B613C73ACB58D259C6379BD820CCA6F785CC812
SHA-256:	1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
SHA-512:	7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

C:\Windows\SysWOW64\WindowsInput.exe Download File
Process:	C:\Users\user\Desktop\1wsm2uXwSY.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	5.287047573060398
Encrypted:	false
SSDEEP:	384:v4I7s3DhDXbdCEiWByrv0/5OPovw+BdkDGIMA10qKpWn:gggDhDXxeWwDgOD7
MD5:	E6FCF516D8ED8D0D4427F86E08D0D435
SHA1:	C7691731583AB7890086635CB7F3E4C22CA5E409
SHA-256:	8DBE814359391ED6B0B5B182039008CF1D00964DA9FBC4747F46242A95C24337
SHA-512:	C496CF8E2E222FE1E19051B291E6860F31AAE39F54369C1C5E8C9758C4B56E8AF904E3E536E743A0A6FDBBF8478AFBA4BAEE92E13FC1B3073376AC6BF4A7948E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Metadefender, Detection: 70%, Browse Antivirus: ReversingLabs, Detection: 87%
Joe Sandbox View:	Filename: iRLW5wwrfn.exe, Detection: malicious, Browse Filename: 1RX6Qzn7bl.exe, Detection: malicious, Browse Filename: O83wubYGMU.exe, Detection: malicious, Browse Filename: ax1n5PdVg4.exe, Detection: malicious, Browse Filename: X6ljOJLLDo.exe, Detection: malicious, Browse Filename: 8GxLojRybe.exe, Detection: malicious, Browse Filename: n9Mxt7RRsd.exe, Detection: malicious, Browse Filename: BEM6oSoge6.exe, Detection: malicious, Browse Filename: tv2s1L9ggR.exe, Detection: malicious, Browse Filename: eAb51g16kK.exe, Detection: malicious, Browse Filename: TIJYYlYJpv.exe, Detection: malicious, Browse Filename: glk3M5FU5d.exe, Detection: malicious, Browse Filename: uptkFVzchM.exe, Detection: malicious, Browse Filename: 51JDkLqWt1.exe, Detection: malicious, Browse Filename: 3E40414D3D75B88373027C33BBE22E90A6EF7FDF7C98B.exe, Detection: malicious, Browse Filename: NdiW4xIPPL.exe, Detection: malicious, Browse Filename: lKAM6YnGl8.exe, Detection: malicious, Browse Filename: eENtfPFNcE.exe, Detection: malicious, Browse Filename: VZH2Mrlq0e.exe, Detection: malicious, Browse Filename: rVKZtqxF35.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......X.........."...0..H...........f... ........@.. ....................................@.................................Df..O....................................e............................................... ............... ..H............text....F... ...H.................. ..`.rsrc................J..............@..@.reloc...............R..............@..B................xf......H....... -..\|6......s....c..p.............................................{...."..}......{...."..}......{...."..}......(......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}.....~.......0..g.............%......(.....%......(.....%......(.....%......(.....%......(.....%......(.....%......(............{...."..}......{......( ...:..}.....(......{...."..}......{....2.(%....4...:..

C:\Windows\SysWOW64\WindowsInput.exe.config Download File
Process:	C:\Users\user\Desktop\1wsm2uXwSY.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	357
Entropy (8bit):	5.044876050355283
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VJdfEyFRdSC7VrfC7VNQfC7VOVx/OfEyFRfyruUuAW4QIT:TMHdG3VOcrdS+QmafyV93xT
MD5:	A2B76CEA3A59FA9AF5EA21FF68139C98
SHA1:	35D76475E6A54C168F536E30206578BABFF58274
SHA-256:	F99EF5BF79A7C43701877F0BB0B890591885BB0A3D605762647CC8FFBF10C839
SHA-512:	B52608B45153C489419228864ECBCB92BE24C644D470818DFE15F8C7E661A7BCD034EA13EF401F2B84AD5C29A41C9B4C7D161CC33AE3EF71659BC2BCA1A8C4AD
Malicious:	true
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. <supportedRuntime version="v4.0.30319" sku=".NETFramework,Version=v4.0,Profile=Client" />.. </startup>..</configuration>

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.169840768392636
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	1wsm2uXwSY.exe
File size:	944640
MD5:	a560665e36e1af3084e31055adc83808
SHA1:	c9d07a945765b3f90e0a970a748af631f22cf0e3
SHA256:	3ffef680021c116955e889822e935c55b05576f9a0f9bd1dde334c0ccbfca006
SHA512:	93f03d8ef76cfc1ba8a0859041542c505cc0c57cff5f42d8a2a1d56477eb5229cf46b7928197c108341dadd2a5a0d3ad8ca5e77e39f93ce7295621197f7968ae
SSDEEP:	24576:B0M4MROxnFNFPurerrcI0AilFEvxHPlIoom:BuMieerrcI0AilFEvxHPl
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'>a.....................:.......L... ........@.. ....................................`................................

File Icon


Icon Hash:	38d48cdccccec0e2

Static PE Info

General
Entrypoint:	0x4e4c1e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x613E271C [Sun Sep 12 16:13:16 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe4bd0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe6000	0x370c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xea000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe2c24	0xe2e00	False	0.64883350551	data	7.16143211782	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xe6000	0x370c	0x3800	False	0.913713727679	data	7.75452022853	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xea000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xe6130	0x2fcf	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0xe9100	0x14	data
RT_VERSION	0xe9114	0x2b8	COM executable for DOS
RT_MANIFEST	0xe93cc	0x33f	XML 1.0 document, ASCII text, with very long lines, with no line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright
Assembly Version	1.0.0.0
InternalName	Synapse X
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName
ProductVersion	1.0.0.0
FileDescription
OriginalFilename	Orcus.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2021 12:50:18.093069077 CEST	49737	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:18.122647047 CEST	10134	49737	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:18.124831915 CEST	49737	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:18.230873108 CEST	49737	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:18.278109074 CEST	10134	49737	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:18.299577951 CEST	49737	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:18.335437059 CEST	10134	49737	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:18.383754969 CEST	49737	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:19.629779100 CEST	49737	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:19.724070072 CEST	10134	49737	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:19.724282980 CEST	49737	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:19.765503883 CEST	10134	49737	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:19.821305037 CEST	49737	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:19.852685928 CEST	10134	49737	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:19.899410009 CEST	49737	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:20.062932014 CEST	49737	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:20.148684978 CEST	10134	49737	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:20.148921967 CEST	49737	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:20.178622961 CEST	10134	49737	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:20.227526903 CEST	49737	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:20.636822939 CEST	49737	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:20.728151083 CEST	10134	49737	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:20.728384018 CEST	49737	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:20.771930933 CEST	10134	49737	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:20.773374081 CEST	49737	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:20.809072018 CEST	10134	49737	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:20.809314966 CEST	49737	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:20.883588076 CEST	10134	49737	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:30.854196072 CEST	10134	49737	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:30.854283094 CEST	49737	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:41.189779043 CEST	49737	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:41.219707012 CEST	10134	49737	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:41.402363062 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:41.432729959 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:41.432809114 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:41.434916973 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:41.469824076 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:41.470787048 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:41.544431925 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:41.544521093 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:41.604665041 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:41.651268005 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:41.682945967 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:41.684395075 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:41.755917072 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:41.756007910 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:41.789108038 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:41.824125051 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:41.898917913 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:41.902157068 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:41.939627886 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:41.941752911 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:41.973754883 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:41.975526094 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:42.056708097 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:42.099342108 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:42.106026888 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:42.109525919 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:42.112118959 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:42.114130020 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:42.116242886 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:42.119771004 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:42.122850895 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:42.126504898 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:42.129968882 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:42.132371902 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:42.134628057 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:42.136562109 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:42.139579058 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:42.139597893 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:42.139699936 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:42.143277884 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:42.143661976 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:42.143693924 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:42.146770000 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:42.146866083 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:42.149461985 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:42.150257111 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:42.151042938 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:42.154134989 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:42.155951977 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:42.156958103 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:42.159431934 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:42.159743071 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:42.159931898 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:42.162749052 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:42.166250944 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:42.170161009 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:42.174072981 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:50:42.176948071 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:42.184272051 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:42.188453913 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:42.188708067 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:42.192092896 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:42.195790052 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:50:42.212719917 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:51:05.544791937 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:51:05.594949007 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:51:05.630929947 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:51:05.671711922 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:51:05.744311094 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:51:05.744513988 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:51:05.815025091 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:51:35.592652082 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:51:35.640467882 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:51:35.670311928 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:51:35.671453953 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:51:35.744126081 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:51:35.744353056 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:51:35.816063881 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:52:05.655653000 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:52:05.710927010 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:52:05.749182940 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:52:05.750271082 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:52:05.823350906 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:52:05.823431969 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:52:05.899599075 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:52:35.754574060 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:52:35.802108049 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:52:35.838515997 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:52:35.839977980 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:52:35.914437056 CEST	10134	49745	136.144.41.171	192.168.2.3
Sep 15, 2021 12:52:35.917419910 CEST	49745	10134	192.168.2.3	136.144.41.171
Sep 15, 2021 12:52:36.000240088 CEST	10134	49745	136.144.41.171	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2021 12:50:05.325572968 CEST	50620	53	192.168.2.3	8.8.8.8
Sep 15, 2021 12:50:05.354521990 CEST	53	50620	8.8.8.8	192.168.2.3
Sep 15, 2021 12:50:18.806497097 CEST	64938	53	192.168.2.3	8.8.8.8
Sep 15, 2021 12:50:18.837102890 CEST	53	64938	8.8.8.8	192.168.2.3
Sep 15, 2021 12:50:30.651274920 CEST	60152	53	192.168.2.3	8.8.8.8
Sep 15, 2021 12:50:30.686750889 CEST	53	60152	8.8.8.8	192.168.2.3
Sep 15, 2021 12:50:37.068973064 CEST	57544	53	192.168.2.3	8.8.8.8
Sep 15, 2021 12:50:37.104619980 CEST	53	57544	8.8.8.8	192.168.2.3
Sep 15, 2021 12:50:57.197103024 CEST	55984	53	192.168.2.3	8.8.8.8
Sep 15, 2021 12:50:57.226572990 CEST	53	55984	8.8.8.8	192.168.2.3
Sep 15, 2021 12:51:12.848592043 CEST	64185	53	192.168.2.3	8.8.8.8
Sep 15, 2021 12:51:12.876626968 CEST	53	64185	8.8.8.8	192.168.2.3
Sep 15, 2021 12:51:20.540992975 CEST	65110	53	192.168.2.3	8.8.8.8
Sep 15, 2021 12:51:20.570419073 CEST	53	65110	8.8.8.8	192.168.2.3
Sep 15, 2021 12:51:55.303971052 CEST	58361	53	192.168.2.3	8.8.8.8
Sep 15, 2021 12:51:55.342093945 CEST	53	58361	8.8.8.8	192.168.2.3
Sep 15, 2021 12:51:57.400708914 CEST	63492	53	192.168.2.3	8.8.8.8
Sep 15, 2021 12:51:57.429418087 CEST	53	63492	8.8.8.8	192.168.2.3

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 1wsm2uXwSY.exe PID: 6032 Parent PID: 5416

General

Start time:	12:50:09
Start date:	15/09/2021
Path:	C:\Users\user\Desktop\1wsm2uXwSY.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\1wsm2uXwSY.exe'
Imagebase:	0x2f0000
File size:	944640 bytes
MD5 hash:	A560665E36E1AF3084E31055ADC83808
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_OrcusRat, Description: Yara detected Orcus RAT, Source: 00000000.00000002.491759765.00000000002F2000.00000002.00020000.sdmp, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam Rule: RAT_Orcus, Description: unknown, Source: 00000000.00000002.491759765.00000000002F2000.00000002.00020000.sdmp, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam Rule: JoeSecurity_OrcusRat, Description: Yara detected Orcus RAT, Source: 00000000.00000000.220589849.00000000002F2000.00000002.00020000.sdmp, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam Rule: RAT_Orcus, Description: unknown, Source: 00000000.00000000.220589849.00000000002F2000.00000002.00020000.sdmp, Author: J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
Reputation:	low

Chronological Activities

Analysis Process: WindowsInput.exe PID: 992 Parent PID: 6032

General

Start time:	12:50:11
Start date:	15/09/2021
Path:	C:\Windows\SysWOW64\WindowsInput.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\SysWOW64\WindowsInput.exe' --install
Imagebase:	0xb50000
File size:	21504 bytes
MD5 hash:	E6FCF516D8ED8D0D4427F86E08D0D435
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Avira Detection: 70%, Metadefender, Browse Detection: 87%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: WindowsInput.exe PID: 1848 Parent PID: 568

General

Start time:	12:50:14
Start date:	15/09/2021
Path:	C:\Windows\SysWOW64\WindowsInput.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SysWOW64\WindowsInput.exe
Imagebase:	0x460000
File size:	21504 bytes
MD5 hash:	E6FCF516D8ED8D0D4427F86E08D0D435
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: svchost.exe PID: 3468 Parent PID: 568

General

Start time:	12:50:18
Start date:	15/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 4080 Parent PID: 568

General

Start time:	12:50:27
Start date:	15/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 3396 Parent PID: 568

General

Start time:	12:50:37
Start date:	15/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5180 Parent PID: 568

General

Start time:	12:50:38
Start date:	15/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 1836 Parent PID: 568

General

Start time:	12:50:39
Start date:	15/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 4812 Parent PID: 568

General

Start time:	12:50:39
Start date:	15/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k unistacksvcgroup
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 2140 Parent PID: 568

General

Start time:	12:50:40
Start date:	15/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 2000 Parent PID: 568

General

Start time:	12:50:41
Start date:	15/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: SgrmBroker.exe PID: 6220 Parent PID: 568

General

Start time:	12:50:42
Start date:	15/09/2021
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff7d6bd0000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 6264 Parent PID: 568

General

Start time:	12:50:43
Start date:	15/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 6344 Parent PID: 568

General

Start time:	12:50:47
Start date:	15/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: MpCmdRun.exe PID: 5672 Parent PID: 6264

General

Start time:	12:51:44
Start date:	15/09/2021
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Imagebase:	0x7ff60f890000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 5552 Parent PID: 5672

General

Start time:	12:51:44
Start date:	15/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 1wsm2uXwSY.exe PID: 6032 Parent PID: 5416 1wsm2uXwSY.exeCOMMON

Executed Functions

Function 024F76A0, Relevance: 1.2, Instructions: 1205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.508044373.00000000024F0000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fab1c177652942252b0fcc4fab4917c89097ae08784539338a88911f876efe43
Instruction ID: f14df3f046f9f8ffa16f35d2234589606a1e06f477613374f7cda292eb1c4dcf
Opcode Fuzzy Hash: fab1c177652942252b0fcc4fab4917c89097ae08784539338a88911f876efe43
Instruction Fuzzy Hash: D4B26C747006048FDB68DF38C594A6AB7F2BF89704F1149AAE656CB3A1DB34EC45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 024F6780, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 024FB3C1

Memory Dump Source

Source File: 00000000.00000002.508044373.00000000024F0000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 19e3b19bb9e9f13bacb728e9de7bb2c9b3bc65bc1b85600262b49738019e194f
Instruction ID: 3a2af8ed7ca052524fcfa20111703f4dc2a4dc0c49fea2e5fa783afb2470e435
Opcode Fuzzy Hash: 19e3b19bb9e9f13bacb728e9de7bb2c9b3bc65bc1b85600262b49738019e194f
Instruction Fuzzy Hash: 8141E370C0061CCBDB24CF99C944BDEBBB5FF89308F24846AD518AB251DB716946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 024FB154, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,024FCF7E,?,?,?,?,?), ref: 024FD03F

Memory Dump Source

Source File: 00000000.00000002.508044373.00000000024F0000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9b5d421c00e4fba7b643e2eeefd197e56584ec1d4bea164a34e12ab05d950086
Instruction ID: 33d833534956331d2a67dfa6e58866ca203282c17d6b44910af2d0830ec58b8d
Opcode Fuzzy Hash: 9b5d421c00e4fba7b643e2eeefd197e56584ec1d4bea164a34e12ab05d950086
Instruction Fuzzy Hash: CB21D2B59002089FDB10CF99D984AEEBBF8EB48324F14841AE915A3350D378A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 024FEF34, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,024FF862), ref: 024FF961

Memory Dump Source

Source File: 00000000.00000002.508044373.00000000024F0000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: false

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: d1e5180361d15105e1eb7aec66615d579e352470c457bb8306809691acf017e9
Instruction ID: a229159e67ba33340b5714ae3edc0cae5b43dac2e2bab570155fdb196fa44570
Opcode Fuzzy Hash: d1e5180361d15105e1eb7aec66615d579e352470c457bb8306809691acf017e9
Instruction Fuzzy Hash: 672123B5D002099BCB10CF9AC844ADEFBF4FB88314F15852ED919B7740C3B4A949CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C9D144, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.503957342.0000000000C9D000.00000040.00000001.sdmp, Offset: 00C9D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b058e11075893b686eb27cdeac13177c62c7e059cd0778d9d3ebdf06175a668
Instruction ID: 8297289f41c05570887d4ec4c8b3e7692627f8f69a4b934993879086507fb931
Opcode Fuzzy Hash: 2b058e11075893b686eb27cdeac13177c62c7e059cd0778d9d3ebdf06175a668
Instruction Fuzzy Hash: CD210372500640DFCF05CF50D9C8F2ABB65FB48328F2485ADE80A5B256C33AD856DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C9D234, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.503957342.0000000000C9D000.00000040.00000001.sdmp, Offset: 00C9D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb0a7cd3b9b0e942d16cbeda7ab00c154c92b91b2f6bab94a4832180fc2c593e
Instruction ID: 4f38e3bc98f3a0300184ee9e63c0c3dd8a01e3cf96c82462a6f49a45f4f50f26
Opcode Fuzzy Hash: eb0a7cd3b9b0e942d16cbeda7ab00c154c92b91b2f6bab94a4832180fc2c593e
Instruction Fuzzy Hash: A621F575504644DFDF05CF10D9C8B26BBA5FB84314F24C9A9D80A5B256C33ADC56CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C9D13F, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.503957342.0000000000C9D000.00000040.00000001.sdmp, Offset: 00C9D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e18e4ea84f3208475caee8a6d20199798cb56d3b6eb39b8ff2c81be2777dac78
Instruction ID: 4de15fe9c1e93138960e01944b1603eb8f9c47434c655d010807a625caefda09
Opcode Fuzzy Hash: e18e4ea84f3208475caee8a6d20199798cb56d3b6eb39b8ff2c81be2777dac78
Instruction Fuzzy Hash: F421DF76404680CFCF06CF10D9C4B15BF72FB48324F24C6A9D80A4B256C33AD96ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C9D22F, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.503957342.0000000000C9D000.00000040.00000001.sdmp, Offset: 00C9D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a51c3ba76aa1874a7f345b2af3b8e18a6a6d29562bcc2dcd7185574416adf85b
Instruction ID: f834660ca0484772a51c64f465b9f8205a1be76524b4eeb71b2e9e9c10b2fbd3
Opcode Fuzzy Hash: a51c3ba76aa1874a7f345b2af3b8e18a6a6d29562bcc2dcd7185574416adf85b
Instruction Fuzzy Hash: 3E119A75504680DFCF12CF10D5C8B15BFB1FB84324F28C6AAD84A5B656C33AD95ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: WindowsInput.exe PID: 992 Parent PID: 6032 WindowsInput.exeCOMMON

Executed Functions

Function 00007FFAEEE936D9, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

EtwEventUnregister.NTDLL ref: 00007FFAEEE9375F

Memory Dump Source

Source File: 00000003.00000002.230853216.00007FFAEEE90000.00000040.00000001.sdmp, Offset: 00007FFAEEE90000, based on PE: false

Similarity

API ID: EventUnregister
String ID:
API String ID: 1359036815-0
Opcode ID: f5b87dce9d0ede7386f587b68da0543d5529c965e0dc2bf0ae489d59098ac571
Instruction ID: c980ba17c1825fb56ba81264087338936b6acb7dd4d5420aed4d3a1bc012419f
Opcode Fuzzy Hash: f5b87dce9d0ede7386f587b68da0543d5529c965e0dc2bf0ae489d59098ac571
Instruction Fuzzy Hash: A721E17180DB885FE765DB2D98093A57FF0FB26310F0401AFD08AC3692DBA56819CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEF307FA, Relevance: 1.0, Instructions: 962COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.230891343.00007FFAEEF30000.00000040.00000001.sdmp, Offset: 00007FFAEEF30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa464f977b8445b2f10471887a8085c50a22df2b0ef5afbcf8ed34c0fe1d6587
Instruction ID: 76f00969d3b21f34c46647e7d59d2f4595af83927c4f8991a586b929d8f63cb9
Opcode Fuzzy Hash: aa464f977b8445b2f10471887a8085c50a22df2b0ef5afbcf8ed34c0fe1d6587
Instruction Fuzzy Hash: F8E1F370B0CA494FE798AB2C98557B47BD1EF5A310B0542FBD08EC72E7DD58AC428792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEF300D5, Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.230891343.00007FFAEEF30000.00000040.00000001.sdmp, Offset: 00007FFAEEF30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36019c801c85f46638c0c29cdfb3d019014fed1c616724e4f577e8d666afa8a
Instruction ID: 036b42ffab2788482f9d4a64e02d1c722e9f4b5860f4bab87b939898dc04c450
Opcode Fuzzy Hash: a36019c801c85f46638c0c29cdfb3d019014fed1c616724e4f577e8d666afa8a
Instruction Fuzzy Hash: 3261E77060CB484FD75DEF1C98956757BE1EF5A710B0601EBE48AC72A7CE64EC028792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEF304EE, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.230891343.00007FFAEEF30000.00000040.00000001.sdmp, Offset: 00007FFAEEF30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 723a489a2c052c800270f89362ba3adbde3f678cf693a3b8ea085fc09f53cad4
Instruction ID: d872312172a6db6b577d94b936abaf113f84b805d1c06e118d0cb8997d8b8db5
Opcode Fuzzy Hash: 723a489a2c052c800270f89362ba3adbde3f678cf693a3b8ea085fc09f53cad4
Instruction Fuzzy Hash: AF4105B1A0CBC64FE38AAB7848655A07FE1EF5B20031A41FBD08DC72A7DC58AC06C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEF30833, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.230891343.00007FFAEEF30000.00000040.00000001.sdmp, Offset: 00007FFAEEF30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 132374b094a35fc0c53788ee4f45ec251bcaa3aa7d9d6dd93f941333b7609565
Instruction ID: 3291d2d3b1037fdb15fa8d97859eabbdcfa469509b2a1cb2285257a30c580039
Opcode Fuzzy Hash: 132374b094a35fc0c53788ee4f45ec251bcaa3aa7d9d6dd93f941333b7609565
Instruction Fuzzy Hash: 6C11BE70B0CA1D0B975CEF1C68862B873C1EB89721B91027BE48FC379ACD55AC4246C6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: WindowsInput.exe PID: 1848 Parent PID: 568 WindowsInput.exeCOMMON

Executed Functions

Function 00007FFAEEEB9398, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

kL, xrefs: 00007FFAEEEBA3ED

Memory Dump Source

Source File: 00000005.00000002.512069609.00007FFAEEEB0000.00000040.00000001.sdmp, Offset: 00007FFAEEEB0000, based on PE: false

Similarity

API ID:
String ID: kL
API String ID: 0-1830713539
Opcode ID: 444bc25280263ef5f172552b84db7d539f5cb0eda5109e36f819d9f3f17cbdd2
Instruction ID: 1cae84d37cb057d206c1da5a1b7c4ecd027f7ce45bdb054781ed4476da6e7845
Opcode Fuzzy Hash: 444bc25280263ef5f172552b84db7d539f5cb0eda5109e36f819d9f3f17cbdd2
Instruction Fuzzy Hash: 9251D570D0CA4D4FDB58EF68D4897EEBBE1EF99311F00816AE04DD3252DA7499468B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEEB2951, Relevance: 1.7, APIs: 1, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.512069609.00007FFAEEEB0000.00000040.00000001.sdmp, Offset: 00007FFAEEEB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8db73bb50425c3a966c94446c7afc6bb1eb5c8b18436cb51f8bf68de4ec89a13
Instruction ID: 1e4930e8b48ebc536611fd1e344ef2f33c4d1b40442599a16eac10764ae5e848
Opcode Fuzzy Hash: 8db73bb50425c3a966c94446c7afc6bb1eb5c8b18436cb51f8bf68de4ec89a13
Instruction Fuzzy Hash: 0E71F67190DB894FE729CB5C98457A9BFE0EF9A310F0481ABD08CC7297D6749D468781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEEB2A18, Relevance: 1.6, APIs: 1, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.512069609.00007FFAEEEB0000.00000040.00000001.sdmp, Offset: 00007FFAEEEB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58844b48be74a57989d568c98221a37de65fdb78372aa1b78faa7e5f54dce031
Instruction ID: 32fe7123c348b5f9d9553211ca3fdb77912e8de9b8f545e9e2168bb22e60cc8e
Opcode Fuzzy Hash: 58844b48be74a57989d568c98221a37de65fdb78372aa1b78faa7e5f54dce031
Instruction Fuzzy Hash: 1441A07090CA4C8FDB58DF58D889BEDBBF1EF99311F10816ED04DD3256CA70A9858B91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEEBA458, Relevance: 1.6, APIs: 1, Instructions: 139timeCOMMON

Download Yara Rule

APIs

SetWaitableTimer.KERNELBASE ref: 00007FFAEEEBA532

Memory Dump Source

Source File: 00000005.00000002.512069609.00007FFAEEEB0000.00000040.00000001.sdmp, Offset: 00007FFAEEEB0000, based on PE: false

Similarity

API ID: TimerWaitable
String ID:
API String ID: 1823812067-0
Opcode ID: 6b2e3c60a3c6abd6ba5de0565730e893e9f3fbb32677b0e3fa64b85cdd74bd1e
Instruction ID: e6c1a9c736c0dcd764dc4cf7f3a93dd453293caae72693b27fe7e48c5bf5b37d
Opcode Fuzzy Hash: 6b2e3c60a3c6abd6ba5de0565730e893e9f3fbb32677b0e3fa64b85cdd74bd1e
Instruction Fuzzy Hash: 33418270908A5C8FDB58DF58D889BEDBBF1FB99311F10826ED04DD3256CA70A985CB81

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 1wsm2uXwSY.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: OrcusRAT

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Code Manipulations

Statistics

CPU Usage

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre