Edit tour

Windows Analysis Report
W1FREE.exe

Overview

General Information

Sample name:	W1FREE.exe
Analysis ID:	1532111
MD5:	6f7cabf4b4354595f267d7d0860a7264
SHA1:	3743b4d0f283254216471af3d7a48febe1ea3d22
SHA256:	ef18dab7131e795b252462e96eee632dcde3eacd98e4b58078eb82c74f5bd2a4
Tags:	exeuser-aachum
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

W1FREE.exe (PID: 6892 cmdline: "C:\Users\user\Desktop\W1FREE.exe" MD5: 6F7CABF4B4354595F267D7D0860A7264)

schtasks.exe (PID: 3496 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system" /tr "C:\Users\user\AppData\Roaming\system.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 4444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

system.exe (PID: 2596 cmdline: C:\Users\user\AppData\Roaming\system.exe MD5: 6F7CABF4B4354595F267D7D0860A7264)

system.exe (PID: 2140 cmdline: "C:\Users\user\AppData\Roaming\system.exe" MD5: 6F7CABF4B4354595F267D7D0860A7264)

system.exe (PID: 2284 cmdline: "C:\Users\user\AppData\Roaming\system.exe" MD5: 6F7CABF4B4354595F267D7D0860A7264)

system.exe (PID: 4340 cmdline: C:\Users\user\AppData\Roaming\system.exe MD5: 6F7CABF4B4354595F267D7D0860A7264)

system.exe (PID: 3520 cmdline: MD5: 6F7CABF4B4354595F267D7D0860A7264)

system.exe (PID: 4940 cmdline: MD5: 6F7CABF4B4354595F267D7D0860A7264)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["choose-throw.gl.at.ply.gg"], "Port": "13217", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
W1FREE.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
W1FREE.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
W1FREE.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xcfb6:$s6: VirtualBox 0xcf14:$s8: Win32_ComputerSystem 0xf168:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf205:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xf31a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xea4a:$cnc4: POST / HTTP/1.1

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\system.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Roaming\system.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Roaming\system.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xcfb6:$s6: VirtualBox 0xcf14:$s8: Win32_ComputerSystem 0xf168:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf205:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xf31a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xea4a:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1733310879.0000000000582000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1733310879.0000000000582000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xcdb6:$s6: VirtualBox 0xcd14:$s8: Win32_ComputerSystem 0xef68:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf005:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xf11a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xe84a:$cnc4: POST / HTTP/1.1
00000000.00000002.4187602657.0000000002821000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: W1FREE.exe PID: 6892	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.W1FREE.exe.580000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.W1FREE.exe.580000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.W1FREE.exe.580000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xcfb6:$s6: VirtualBox 0xcf14:$s8: Win32_ComputerSystem 0xf168:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf205:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xf31a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xea4a:$cnc4: POST / HTTP/1.1

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\system.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\W1FREE.exe, ProcessId: 6892, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\W1FREE.exe, ProcessId: 6892, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system" /tr "C:\Users\user\AppData\Roaming\system.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system" /tr "C:\Users\user\AppData\Roaming\system.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\W1FREE.exe", ParentImage: C:\Users\user\Desktop\W1FREE.exe, ParentProcessId: 6892, ParentProcessName: W1FREE.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system" /tr "C:\Users\user\AppData\Roaming\system.exe", ProcessId: 3496, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T12:32:14.514515+0200	2853193	1	Malware Command and Control Activity Detected	192.168.2.4	63770	147.185.221.23	13217	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: W1FREE.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\system.exe

Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: W1FREE.exe

Malware Configuration Extractor: Xworm {"C2 url": ["choose-throw.gl.at.ply.gg"], "Port": "13217", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for domain / URL

Source: choose-throw.gl.at.ply.gg	Virustotal: Detection: 8%			Perma Link
Source: choose-throw.gl.at.ply.gg	Virustotal: Detection: 8%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\system.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Roaming\system.exe	Virustotal: Detection: 76%			Perma Link

Multi AV Scanner detection for submitted file

Source: W1FREE.exe	Virustotal: Detection: 76%			Perma Link
Source: W1FREE.exe	ReversingLabs: Detection: 81%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\system.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: W1FREE.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: W1FREE.exe	String decryptor: choose-throw.gl.at.ply.gg
Source: W1FREE.exe	String decryptor: 13217
Source: W1FREE.exe	String decryptor: <123456789>
Source: W1FREE.exe	String decryptor: <Xwormmm>
Source: W1FREE.exe	String decryptor: USB.exe
Source: W1FREE.exe	String decryptor: %AppData%
Source: W1FREE.exe	String decryptor: system.exe

Source: W1FREE.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: W1FREE.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:63601 -> 147.185.221.23:13217
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:63770 -> 147.185.221.23:13217

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: choose-throw.gl.at.ply.gg

Yara detected Generic Downloader

Source: Yara match	File source: W1FREE.exe, type: SAMPLE
Source: Yara match	File source: 0.0.W1FREE.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\system.exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 147.185.221.23:13217

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: choose-throw.gl.at.ply.gg
Source: global traffic	DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa

Source: W1FREE.exe, system.exe.0.dr	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: W1FREE.exe, 00000000.00000002.4187602657.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\W1FREE.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: W1FREE.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.W1FREE.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1733310879.0000000000582000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\system.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\W1FREE.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\W1FREE.exe	Code function: 0_2_00007FFD9B7F2381	0_2_00007FFD9B7F2381
Source: C:\Users\user\Desktop\W1FREE.exe	Code function: 0_2_00007FFD9B7F1719	0_2_00007FFD9B7F1719
Source: C:\Users\user\Desktop\W1FREE.exe	Code function: 0_2_00007FFD9B7F6E62	0_2_00007FFD9B7F6E62
Source: C:\Users\user\Desktop\W1FREE.exe	Code function: 0_2_00007FFD9B7F0860	0_2_00007FFD9B7F0860
Source: C:\Users\user\Desktop\W1FREE.exe	Code function: 0_2_00007FFD9B7F60B6	0_2_00007FFD9B7F60B6
Source: C:\Users\user\Desktop\W1FREE.exe	Code function: 0_2_00007FFD9B7F20ED	0_2_00007FFD9B7F20ED
Source: C:\Users\user\Desktop\W1FREE.exe	Code function: 0_2_00007FFD9B7F108D	0_2_00007FFD9B7F108D
Source: C:\Users\user\AppData\Roaming\system.exe	Code function: 3_2_00007FFD9B7E1719	3_2_00007FFD9B7E1719
Source: C:\Users\user\AppData\Roaming\system.exe	Code function: 3_2_00007FFD9B7E1038	3_2_00007FFD9B7E1038
Source: C:\Users\user\AppData\Roaming\system.exe	Code function: 3_2_00007FFD9B7E20ED	3_2_00007FFD9B7E20ED
Source: C:\Users\user\AppData\Roaming\system.exe	Code function: 7_2_00007FFD9B7D1719	7_2_00007FFD9B7D1719
Source: C:\Users\user\AppData\Roaming\system.exe	Code function: 7_2_00007FFD9B7D1038	7_2_00007FFD9B7D1038
Source: C:\Users\user\AppData\Roaming\system.exe	Code function: 7_2_00007FFD9B7D20ED	7_2_00007FFD9B7D20ED
Source: C:\Users\user\AppData\Roaming\system.exe	Code function: 8_2_00007FFD9B801719	8_2_00007FFD9B801719
Source: C:\Users\user\AppData\Roaming\system.exe	Code function: 8_2_00007FFD9B801038	8_2_00007FFD9B801038
Source: C:\Users\user\AppData\Roaming\system.exe	Code function: 8_2_00007FFD9B8020ED	8_2_00007FFD9B8020ED
Source: C:\Users\user\AppData\Roaming\system.exe	Code function: 9_2_00007FFD9B7F1719	9_2_00007FFD9B7F1719
Source: C:\Users\user\AppData\Roaming\system.exe	Code function: 9_2_00007FFD9B7F1038	9_2_00007FFD9B7F1038
Source: C:\Users\user\AppData\Roaming\system.exe	Code function: 9_2_00007FFD9B7F20ED	9_2_00007FFD9B7F20ED

Source: W1FREE.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: W1FREE.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.W1FREE.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1733310879.0000000000582000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\system.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: W1FREE.exe, 6n54hoB8iZXb7Qvi3d5Ahe2R2a4iz0JjBSdIrbFzQ4yYn7BBxzWHhzUi.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: W1FREE.exe, 6n54hoB8iZXb7Qvi3d5Ahe2R2a4iz0JjBSdIrbFzQ4yYn7BBxzWHhzUi.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: W1FREE.exe, aeb2vUhvoKPSctPnis29AiZnkul954D1FxQDUTPtu8VEAME42Q1uy0i9.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: system.exe.0.dr, 6n54hoB8iZXb7Qvi3d5Ahe2R2a4iz0JjBSdIrbFzQ4yYn7BBxzWHhzUi.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: system.exe.0.dr, 6n54hoB8iZXb7Qvi3d5Ahe2R2a4iz0JjBSdIrbFzQ4yYn7BBxzWHhzUi.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: system.exe.0.dr, aeb2vUhvoKPSctPnis29AiZnkul954D1FxQDUTPtu8VEAME42Q1uy0i9.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: W1FREE.exe, htj7fUSLQQK97C901WtrftmY.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: W1FREE.exe, htj7fUSLQQK97C901WtrftmY.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: system.exe.0.dr, htj7fUSLQQK97C901WtrftmY.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: system.exe.0.dr, htj7fUSLQQK97C901WtrftmY.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/4@4/2

Source: C:\Users\user\Desktop\W1FREE.exe

File created: C:\Users\user\AppData\Roaming\system.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\system.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\W1FREE.exe	Mutant created: \Sessions\1\BaseNamedObjects\IKvrqUJT9r6eDqAD
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4444:120:WilError_03

Source: C:\Users\user\Desktop\W1FREE.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: W1FREE.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: W1FREE.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\W1FREE.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\W1FREE.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: W1FREE.exe	Virustotal: Detection: 76%
Source: W1FREE.exe	ReversingLabs: Detection: 81%

Source: C:\Users\user\Desktop\W1FREE.exe

File read: C:\Users\user\Desktop\W1FREE.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\W1FREE.exe "C:\Users\user\Desktop\W1FREE.exe"
Source: C:\Users\user\Desktop\W1FREE.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system" /tr "C:\Users\user\AppData\Roaming\system.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\system.exe C:\Users\user\AppData\Roaming\system.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\system.exe "C:\Users\user\AppData\Roaming\system.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\system.exe "C:\Users\user\AppData\Roaming\system.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\system.exe C:\Users\user\AppData\Roaming\system.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\system.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\system.exe
Source: C:\Users\user\Desktop\W1FREE.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system" /tr "C:\Users\user\AppData\Roaming\system.exe"	Jump to behavior

Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\W1FREE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: system.lnk.0.dr

LNK file: ..\..\..\..\..\system.exe

Source: W1FREE.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: W1FREE.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: W1FREE.exe, hCIvBsyFoejXxD1JkhVUXMOe.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0jCpSn3TPAiA1lUmUeGqUs0q.EeujjSIzyXUICF1S3bORbmHp,_0jCpSn3TPAiA1lUmUeGqUs0q._8TdRhsD1ulpkL870HoYM35Wh,_0jCpSn3TPAiA1lUmUeGqUs0q._7nJLjrbdeYfocUZ6dc18LHFp,_0jCpSn3TPAiA1lUmUeGqUs0q.MUJV2M1fC17zDx2fOzoEXVQt,_6n54hoB8iZXb7Qvi3d5Ahe2R2a4iz0JjBSdIrbFzQ4yYn7BBxzWHhzUi.svlAUNrhs4fhd3uAwZsjSDNH8BKJsWu6E7WqtjpL6()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: W1FREE.exe, hCIvBsyFoejXxD1JkhVUXMOe.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{oWHb8YNKwzEmM0WfXhT5Mw7f[2],_6n54hoB8iZXb7Qvi3d5Ahe2R2a4iz0JjBSdIrbFzQ4yYn7BBxzWHhzUi.RjGqQ1hXLVMl8rZfodfdHL3Pi1iIYsrUOwhUJzR7t(Convert.FromBase64String(oWHb8YNKwzEmM0WfXhT5Mw7f[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: system.exe.0.dr, hCIvBsyFoejXxD1JkhVUXMOe.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0jCpSn3TPAiA1lUmUeGqUs0q.EeujjSIzyXUICF1S3bORbmHp,_0jCpSn3TPAiA1lUmUeGqUs0q._8TdRhsD1ulpkL870HoYM35Wh,_0jCpSn3TPAiA1lUmUeGqUs0q._7nJLjrbdeYfocUZ6dc18LHFp,_0jCpSn3TPAiA1lUmUeGqUs0q.MUJV2M1fC17zDx2fOzoEXVQt,_6n54hoB8iZXb7Qvi3d5Ahe2R2a4iz0JjBSdIrbFzQ4yYn7BBxzWHhzUi.svlAUNrhs4fhd3uAwZsjSDNH8BKJsWu6E7WqtjpL6()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: system.exe.0.dr, hCIvBsyFoejXxD1JkhVUXMOe.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{oWHb8YNKwzEmM0WfXhT5Mw7f[2],_6n54hoB8iZXb7Qvi3d5Ahe2R2a4iz0JjBSdIrbFzQ4yYn7BBxzWHhzUi.RjGqQ1hXLVMl8rZfodfdHL3Pi1iIYsrUOwhUJzR7t(Convert.FromBase64String(oWHb8YNKwzEmM0WfXhT5Mw7f[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: W1FREE.exe, hCIvBsyFoejXxD1JkhVUXMOe.cs	.Net Code: W84JWrZQi8a1qILCmJEI5pOH System.AppDomain.Load(byte[])
Source: W1FREE.exe, hCIvBsyFoejXxD1JkhVUXMOe.cs	.Net Code: azGXGnPXVh2zgxAyflDnkkHd System.AppDomain.Load(byte[])
Source: W1FREE.exe, hCIvBsyFoejXxD1JkhVUXMOe.cs	.Net Code: azGXGnPXVh2zgxAyflDnkkHd
Source: system.exe.0.dr, hCIvBsyFoejXxD1JkhVUXMOe.cs	.Net Code: W84JWrZQi8a1qILCmJEI5pOH System.AppDomain.Load(byte[])
Source: system.exe.0.dr, hCIvBsyFoejXxD1JkhVUXMOe.cs	.Net Code: azGXGnPXVh2zgxAyflDnkkHd System.AppDomain.Load(byte[])
Source: system.exe.0.dr, hCIvBsyFoejXxD1JkhVUXMOe.cs	.Net Code: azGXGnPXVh2zgxAyflDnkkHd

Source: C:\Users\user\Desktop\W1FREE.exe	Code function: 0_2_00007FFD9B7F002A pushad ; iretd	0_2_00007FFD9B7F00C1
Source: C:\Users\user\Desktop\W1FREE.exe	Code function: 0_2_00007FFD9B7F2ADD push ebx; ret	0_2_00007FFD9B7F2B4A
Source: C:\Users\user\AppData\Roaming\system.exe	Code function: 3_2_00007FFD9B7E00AD pushad ; iretd	3_2_00007FFD9B7E00C1
Source: C:\Users\user\AppData\Roaming\system.exe	Code function: 7_2_00007FFD9B7D00AD pushad ; iretd	7_2_00007FFD9B7D00C1
Source: C:\Users\user\AppData\Roaming\system.exe	Code function: 8_2_00007FFD9B8000AD pushad ; iretd	8_2_00007FFD9B8000C1
Source: C:\Users\user\AppData\Roaming\system.exe	Code function: 9_2_00007FFD9B7F00AD pushad ; iretd	9_2_00007FFD9B7F00C1

Source: W1FREE.exe, rJQ9eU60npeq652Ibo7jvQRXM3rUdlYngpwbUMtxi.cs	High entropy of concatenated method names: 'twi6K42bPTI4GYQ2n6IsgBa8hmZagm1U1c3lHShmH', 'pd60DaUs74BzskNbNT6A1gpuowjaPpKAFvmmHKmz6', 'WkiiAo4UsOuxoNgzFOBvuWbV5dZM8oJ6bdMBo9FqY', 'O61PK4T27e2ko0ux', 'do5cd0W2YtVxAzA4', 'iGn1249pBOkO0He2', 'x9uFtPMH24vwKfrD', 'kQ8Sq3SK06BRDWEf', 'mM658JXFajkwzrew', 'wGJghNiG7QBcQvgl'
Source: W1FREE.exe, 0jCpSn3TPAiA1lUmUeGqUs0q.cs	High entropy of concatenated method names: 'APUhdyFM3p8VQO8im0tPPWLDrpUSVmeGxTqyG1xxF', 'dnrjiAuGSQBMv6SMkHl3Nen268nihLPPQb1vBIJp9', 'WwOJf0xn8ZQaqUpTM5sVgfMB45DIJSNdBLxdY8IbI', 'XZ4E5rO0tQ5oWB8DG6CjKvYLtgFYAgqXTFkNVKab8'
Source: W1FREE.exe, nCyWPpVLNarjz8xbfSRSEn60.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'xhUg7OzetlYqccN2GXjWru6gaczDolrHBW2w6Q2Dx', 'aYRQG8twAkHNgK3B6VvdE9g2eriVfA27rnQjc6PYv', '_4O2M0VijjDsV91docL8dyBZn37l99A6yH8IOUOfUO', 'TAJhLWNIKRwhgBJMAngVKSaXns5T1WLXqvBIKy7T1'
Source: W1FREE.exe, MtWeevp3Ou6I0D9xZmY4TWpP.cs	High entropy of concatenated method names: '_8cawZgo3hwxTF2OX1GlJKMe3', '_3HNkuljQi9I1KUd6Ok5x82gO', 'PvABkv8h23X1x3rqe2HfxzJY', 'agOZabpfCbyDM4Lal205i7Mr', '_6dcLdQh5gMgNAD4pGTnFP9Vl', 'SXbDnS14rMZU5U0wl2jhEfIX', 'iKYmL6S8wDSYECgCcDoE1uIp', 'S7wgpZ9xdM8DaOcDLCbLDoeo', 'BdFoWeM3p98ZWEOaVxdBioV7', 'CDiZ2FOgrQwwZSzeGksYL29R'
Source: W1FREE.exe, FuD0wDdNzpjleaHRPL2HVwuy4urGRNvot3Vq0xbZ2Sokj3t4TymJdGe9.cs	High entropy of concatenated method names: 'QGT6IrhPmY39lxWGU1srAJf76HKcE9b0yeXVqU83PfjQd0mZztHXmqPc', 'qr2GqV4BneI0bESBEyal7B209grGImhZtQ8AYIOjRFm86LNJZEeEKXf2', 'SRMYAdDNssxbwaeKWybVYM875anYLy4ZL3UFqvfSMoSKNYSp0RoVO36G', 'm5OuSmSvZg0PfOr1iABaquK6xiw559C4ROulGyC0MM2Oliz7HrOOnKsQ', 'LiErNUxWAQGHZriT', 'CYjuVsYhgisqUsZ9', 'rBPgm1TQTCC52zd8', '_4YEUO6Dz4U184SJq', 'oMetrFt8H6kkgOML', 'UzuYfB9V9qbM5eu1'
Source: W1FREE.exe, 6n54hoB8iZXb7Qvi3d5Ahe2R2a4iz0JjBSdIrbFzQ4yYn7BBxzWHhzUi.cs	High entropy of concatenated method names: 'MGnFeT3WUePNZQMv3437ZKqY7hojUM0kctoYnLmaVQjYehPoKOlkqTwA', 'SETVYJuJCWjXnGf960cSswuTsBS52pj8PUP4W6e47HQiZCWzZSkGSlf6', 'GQZWVgEqqDyFnU1maWpzlWxwpO4xIKT3VlQnqd7uHe3z41nYK5YhvtET', 'W5PshI6C9ukuVqYoKZHmtXVNscb43SoHptocm3MgZ3svBCmtgjmwVKpq', 'tXoC4yYAldnHuZBesINSyKm71uliux1pLdZdTfKQr0j7JMp5VebGBGv7', 's4QvAGDWP1HM9ECQhSsy1UBkDWIGwtabHw44nzi63tTDOsm3EuraQFQa', 'qH3uGlGjI9Sd34aZvrc68cvg17hgAvm7m14yEIHPlr5Cq3t5INUNnTQG', 'CddG2dy6VNGghEP4YCMAd52S4XecTBOa1cuPzs1hW3VuoU9StsbQ5blG', 'z7rcpOFlQ3modWEEpDLR20DgL7FqJtFPNZ7z5NoTAu9poCXbs4l7zE9R', 'NytehDfXhaK9rYpU2GuCgbFax9dsPdnKi4lEmUmdeGPSdkrq4zBWiRNm'
Source: W1FREE.exe, htj7fUSLQQK97C901WtrftmY.cs	High entropy of concatenated method names: 'xopZST7ELXh3YP8gnZnCnaFi', 'WeJfjxRnS2Sjf47CMwNHwlro', 'dgjnJXGWpg4T4u2V432Es95x', 'TkbVwBYUn8KIg29GJAdG6cNW', 'ivHTOfvQpyKSYefxBE9aAz7Q', 'UOur1LYxR0GJa6xkO3t41w6p', 'BBgXntJCVHgdPagrWHRF4wz8', 'PmMiuVzIa0346MsdEkFZJ9Ib', 'U1TF64AUVmNK3VTHghw0a4lW', 'UR8JinKNdIxXrYzvctjy97xB'
Source: W1FREE.exe, 3IpF7as7Q5ypJGArhFbS4vqg.cs	High entropy of concatenated method names: 'n1gwRAflUanT86uOPQ1bMrDV', 'Dnb5TNc6c6vZYtTlgEW54llR', 'ZRyyZiiLcdnEzzEEUjxV48Bl', '_3MpveEuNJwh8swRAPCRrLkE3', 'lPVABD2nYnfnJa54sqv3ivGw', 'axp7mk8yk08JEfoffPgRzRoQQrFr0o6vqh3uUH3NoPqz7uEocrlSQtpL', '_2P5n0iD1s9mKOTCtEziZjIsYC2jCc0FecI4bQRDfjntvqGHhHVjPAGAE', 'xht5tNfOIcFjwt3IVheVHFgyge9kB0DUMC1UQZeqCvRXmtjPSOLHF8Gl', 'kKKmzu0XMc0dnPTDfUXr2kXrUT7LLIp5BFqakSgrzEQYYXoxp257PqGT', 'YtXK8WDxtVopS7mbfdsUJaxtzw2VbwgksCAkQRCMZVoWaouLexPrDH8T'
Source: W1FREE.exe, aeb2vUhvoKPSctPnis29AiZnkul954D1FxQDUTPtu8VEAME42Q1uy0i9.cs	High entropy of concatenated method names: 'INQd7GVpMr6hmJiSMFIhdupgZbGVB2WBs4HdrokFFOF1oZqC7dhVlUDk', 'OPFRRfuA4vBHlN59', 'lXNPGrhajeHjy0Lf', 'XalDw047YSvkHW5v', 'OdwrwORS2C5Xktjq'
Source: W1FREE.exe, hCIvBsyFoejXxD1JkhVUXMOe.cs	High entropy of concatenated method names: 'qHyr4ETbeUDkCSWxoVl0nnuK', 'W84JWrZQi8a1qILCmJEI5pOH', 'K1CpqllZmuykNbug24AgfAUa', 'bQ6rm6tcRey7WMfPsnzTKmpK', 'ShxWF6tArkG02XEcTI1StqEz', 'g7AGvBAwbulEvBVDrcw27I2v', '_895w1e5wVcdFJ4D2fDrqjC1O', 'oXHKmrbxXJWLu8U2CeGF73qp', 'vfGNkigj2jbtwDPv82ZXeXUp', 'qWgPMWtkj2qbN0hUC5UEGLNt'
Source: system.exe.0.dr, rJQ9eU60npeq652Ibo7jvQRXM3rUdlYngpwbUMtxi.cs	High entropy of concatenated method names: 'twi6K42bPTI4GYQ2n6IsgBa8hmZagm1U1c3lHShmH', 'pd60DaUs74BzskNbNT6A1gpuowjaPpKAFvmmHKmz6', 'WkiiAo4UsOuxoNgzFOBvuWbV5dZM8oJ6bdMBo9FqY', 'O61PK4T27e2ko0ux', 'do5cd0W2YtVxAzA4', 'iGn1249pBOkO0He2', 'x9uFtPMH24vwKfrD', 'kQ8Sq3SK06BRDWEf', 'mM658JXFajkwzrew', 'wGJghNiG7QBcQvgl'
Source: system.exe.0.dr, 0jCpSn3TPAiA1lUmUeGqUs0q.cs	High entropy of concatenated method names: 'APUhdyFM3p8VQO8im0tPPWLDrpUSVmeGxTqyG1xxF', 'dnrjiAuGSQBMv6SMkHl3Nen268nihLPPQb1vBIJp9', 'WwOJf0xn8ZQaqUpTM5sVgfMB45DIJSNdBLxdY8IbI', 'XZ4E5rO0tQ5oWB8DG6CjKvYLtgFYAgqXTFkNVKab8'
Source: system.exe.0.dr, nCyWPpVLNarjz8xbfSRSEn60.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'xhUg7OzetlYqccN2GXjWru6gaczDolrHBW2w6Q2Dx', 'aYRQG8twAkHNgK3B6VvdE9g2eriVfA27rnQjc6PYv', '_4O2M0VijjDsV91docL8dyBZn37l99A6yH8IOUOfUO', 'TAJhLWNIKRwhgBJMAngVKSaXns5T1WLXqvBIKy7T1'
Source: system.exe.0.dr, MtWeevp3Ou6I0D9xZmY4TWpP.cs	High entropy of concatenated method names: '_8cawZgo3hwxTF2OX1GlJKMe3', '_3HNkuljQi9I1KUd6Ok5x82gO', 'PvABkv8h23X1x3rqe2HfxzJY', 'agOZabpfCbyDM4Lal205i7Mr', '_6dcLdQh5gMgNAD4pGTnFP9Vl', 'SXbDnS14rMZU5U0wl2jhEfIX', 'iKYmL6S8wDSYECgCcDoE1uIp', 'S7wgpZ9xdM8DaOcDLCbLDoeo', 'BdFoWeM3p98ZWEOaVxdBioV7', 'CDiZ2FOgrQwwZSzeGksYL29R'
Source: system.exe.0.dr, FuD0wDdNzpjleaHRPL2HVwuy4urGRNvot3Vq0xbZ2Sokj3t4TymJdGe9.cs	High entropy of concatenated method names: 'QGT6IrhPmY39lxWGU1srAJf76HKcE9b0yeXVqU83PfjQd0mZztHXmqPc', 'qr2GqV4BneI0bESBEyal7B209grGImhZtQ8AYIOjRFm86LNJZEeEKXf2', 'SRMYAdDNssxbwaeKWybVYM875anYLy4ZL3UFqvfSMoSKNYSp0RoVO36G', 'm5OuSmSvZg0PfOr1iABaquK6xiw559C4ROulGyC0MM2Oliz7HrOOnKsQ', 'LiErNUxWAQGHZriT', 'CYjuVsYhgisqUsZ9', 'rBPgm1TQTCC52zd8', '_4YEUO6Dz4U184SJq', 'oMetrFt8H6kkgOML', 'UzuYfB9V9qbM5eu1'
Source: system.exe.0.dr, 6n54hoB8iZXb7Qvi3d5Ahe2R2a4iz0JjBSdIrbFzQ4yYn7BBxzWHhzUi.cs	High entropy of concatenated method names: 'MGnFeT3WUePNZQMv3437ZKqY7hojUM0kctoYnLmaVQjYehPoKOlkqTwA', 'SETVYJuJCWjXnGf960cSswuTsBS52pj8PUP4W6e47HQiZCWzZSkGSlf6', 'GQZWVgEqqDyFnU1maWpzlWxwpO4xIKT3VlQnqd7uHe3z41nYK5YhvtET', 'W5PshI6C9ukuVqYoKZHmtXVNscb43SoHptocm3MgZ3svBCmtgjmwVKpq', 'tXoC4yYAldnHuZBesINSyKm71uliux1pLdZdTfKQr0j7JMp5VebGBGv7', 's4QvAGDWP1HM9ECQhSsy1UBkDWIGwtabHw44nzi63tTDOsm3EuraQFQa', 'qH3uGlGjI9Sd34aZvrc68cvg17hgAvm7m14yEIHPlr5Cq3t5INUNnTQG', 'CddG2dy6VNGghEP4YCMAd52S4XecTBOa1cuPzs1hW3VuoU9StsbQ5blG', 'z7rcpOFlQ3modWEEpDLR20DgL7FqJtFPNZ7z5NoTAu9poCXbs4l7zE9R', 'NytehDfXhaK9rYpU2GuCgbFax9dsPdnKi4lEmUmdeGPSdkrq4zBWiRNm'
Source: system.exe.0.dr, htj7fUSLQQK97C901WtrftmY.cs	High entropy of concatenated method names: 'xopZST7ELXh3YP8gnZnCnaFi', 'WeJfjxRnS2Sjf47CMwNHwlro', 'dgjnJXGWpg4T4u2V432Es95x', 'TkbVwBYUn8KIg29GJAdG6cNW', 'ivHTOfvQpyKSYefxBE9aAz7Q', 'UOur1LYxR0GJa6xkO3t41w6p', 'BBgXntJCVHgdPagrWHRF4wz8', 'PmMiuVzIa0346MsdEkFZJ9Ib', 'U1TF64AUVmNK3VTHghw0a4lW', 'UR8JinKNdIxXrYzvctjy97xB'
Source: system.exe.0.dr, 3IpF7as7Q5ypJGArhFbS4vqg.cs	High entropy of concatenated method names: 'n1gwRAflUanT86uOPQ1bMrDV', 'Dnb5TNc6c6vZYtTlgEW54llR', 'ZRyyZiiLcdnEzzEEUjxV48Bl', '_3MpveEuNJwh8swRAPCRrLkE3', 'lPVABD2nYnfnJa54sqv3ivGw', 'axp7mk8yk08JEfoffPgRzRoQQrFr0o6vqh3uUH3NoPqz7uEocrlSQtpL', '_2P5n0iD1s9mKOTCtEziZjIsYC2jCc0FecI4bQRDfjntvqGHhHVjPAGAE', 'xht5tNfOIcFjwt3IVheVHFgyge9kB0DUMC1UQZeqCvRXmtjPSOLHF8Gl', 'kKKmzu0XMc0dnPTDfUXr2kXrUT7LLIp5BFqakSgrzEQYYXoxp257PqGT', 'YtXK8WDxtVopS7mbfdsUJaxtzw2VbwgksCAkQRCMZVoWaouLexPrDH8T'
Source: system.exe.0.dr, aeb2vUhvoKPSctPnis29AiZnkul954D1FxQDUTPtu8VEAME42Q1uy0i9.cs	High entropy of concatenated method names: 'INQd7GVpMr6hmJiSMFIhdupgZbGVB2WBs4HdrokFFOF1oZqC7dhVlUDk', 'OPFRRfuA4vBHlN59', 'lXNPGrhajeHjy0Lf', 'XalDw047YSvkHW5v', 'OdwrwORS2C5Xktjq'
Source: system.exe.0.dr, hCIvBsyFoejXxD1JkhVUXMOe.cs	High entropy of concatenated method names: 'qHyr4ETbeUDkCSWxoVl0nnuK', 'W84JWrZQi8a1qILCmJEI5pOH', 'K1CpqllZmuykNbug24AgfAUa', 'bQ6rm6tcRey7WMfPsnzTKmpK', 'ShxWF6tArkG02XEcTI1StqEz', 'g7AGvBAwbulEvBVDrcw27I2v', '_895w1e5wVcdFJ4D2fDrqjC1O', 'oXHKmrbxXJWLu8U2CeGF73qp', 'vfGNkigj2jbtwDPv82ZXeXUp', 'qWgPMWtkj2qbN0hUC5UEGLNt'

Source: C:\Users\user\Desktop\W1FREE.exe

File created: C:\Users\user\AppData\Roaming\system.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\W1FREE.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system" /tr "C:\Users\user\AppData\Roaming\system.exe"

Source: C:\Users\user\Desktop\W1FREE.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk

Jump to behavior

Source: C:\Users\user\Desktop\W1FREE.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk

Jump to behavior

Source: C:\Users\user\Desktop\W1FREE.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run system			Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run system			Jump to behavior

Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: W1FREE.exe, 00000000.00000002.4187602657.0000000002821000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: W1FREE.exe, system.exe.0.dr	Binary or memory string: SBIEDLL.DLLSC6AQQJDBRWRCLTTZUTVNGC6K4ZNU36RNWNLCEAXVASABAMSCAKSCQLZGDDN3Q13WBYV9L0CD5BU97ZHZEVWSGEF6SPY4GSRDXOVHLTHOFPRDZLZC1KTDZ3HMRC4R8SWMO8KNOV4XXRZRMA0BB172YPHHVJS2XIDBVWCVRIVSA6TPV03JVDMVVHWV2PBCSQ9DARFKKSJTQVOAXH38NSCHSVBRJAWP4P25VSUEYR1GXMR2X50ZBYASJBI4VJ3SB5YNBISOQ2CYLIZVUCI6ESTDVS84RS7NOZSU6YDVTS7Y8SZALNQLVPKEWEUOAB616RXNU1ZVGBMFXKVJQKQS8PACGTAHXV7MKNMDWLW3CSFP9VMFHXPAZ865CZA9WSPSBHKL6O089IV5FJQXL14DWTIA7NNRGCT6PEP5IZ8SHPVRUH3KCRL5OLQRB3BMOJAM1Y0X246VJTO1NUI44SJXLLO4PEDGPVYT0YWMX0ULBIUPBO5CAUOSPQO2N0ASUXV44JO6Z6ZPDHRDHQWGNDUMRMPNXJCG3BK3SM7JOINFO

Source: C:\Users\user\Desktop\W1FREE.exe	Memory allocated: 2680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Memory allocated: 1A820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Memory allocated: 1410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Memory allocated: 1B020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Memory allocated: 1710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Memory allocated: 1B1A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Memory allocated: 9D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Memory allocated: 1A5B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Memory allocated: 11F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Memory allocated: 1AFD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Memory allocated: 950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Memory allocated: 1A960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Memory allocated: C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Memory allocated: 1A690000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\W1FREE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\W1FREE.exe	Window / User API: threadDelayed 8169			Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Window / User API: threadDelayed 1678			Jump to behavior

Source: C:\Users\user\Desktop\W1FREE.exe TID: 6048	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe TID: 764	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe TID: 5676	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe TID: 1364	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe TID: 6244	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe TID: 1364	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe TID: 1068	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\W1FREE.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: unknown FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: unknown FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: unknown FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: unknown FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: unknown FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: unknown FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: unknown FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: unknown FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: unknown FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: unknown FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	File Volume queried: unknown FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	File Volume queried: unknown FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\W1FREE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: system.exe.0.dr	Binary or memory string: vmware
Source: W1FREE.exe, 00000000.00000002.4190305523.000000001B685000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\W1FREE.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\AppData\Roaming\system.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	System information queried: CodeIntegrityInformation			Jump to behavior

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\W1FREE.exe

Code function: 0_2_00007FFD9B7F7A71 CheckRemoteDebuggerPresent,

0_2_00007FFD9B7F7A71

Source: C:\Users\user\Desktop\W1FREE.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\W1FREE.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\W1FREE.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\W1FREE.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system" /tr "C:\Users\user\AppData\Roaming\system.exe"

Jump to behavior

Source: W1FREE.exe, 00000000.00000002.4187602657.0000000002983000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: W1FREE.exe, 00000000.00000002.4187602657.0000000002983000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: W1FREE.exe, 00000000.00000002.4187602657.0000000002983000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: W1FREE.exe, 00000000.00000002.4187602657.0000000002983000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
Source: W1FREE.exe, 00000000.00000002.4187602657.0000000002983000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2b

Source: C:\Users\user\Desktop\W1FREE.exe	Queries volume information: C:\Users\user\Desktop\W1FREE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W1FREE.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Queries volume information: C:\Users\user\AppData\Roaming\system.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Queries volume information: C:\Users\user\AppData\Roaming\system.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Queries volume information: C:\Users\user\AppData\Roaming\system.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Queries volume information: C:\Users\user\AppData\Roaming\system.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Queries volume information: C:\Users\user\AppData\Roaming\system.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\system.exe	Queries volume information: unknown VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\W1FREE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: W1FREE.exe, 00000000.00000002.4190305523.000000001B727000.00000004.00000020.00020000.00000000.sdmp, W1FREE.exe, 00000000.00000002.4186853644.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, W1FREE.exe, 00000000.00000002.4190305523.000000001B685000.00000004.00000020.00020000.00000000.sdmp, W1FREE.exe, 00000000.00000002.4190305523.000000001B6BD000.00000004.00000020.00020000.00000000.sdmp, W1FREE.exe, 00000000.00000002.4190305523.000000001B6D4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\W1FREE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: W1FREE.exe, type: SAMPLE
Source: Yara match	File source: 0.0.W1FREE.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1733310879.0000000000582000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4187602657.0000000002821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: W1FREE.exe PID: 6892, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\system.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: W1FREE.exe, type: SAMPLE
Source: Yara match	File source: 0.0.W1FREE.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1733310879.0000000000582000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4187602657.0000000002821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: W1FREE.exe PID: 6892, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\system.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 Scheduled Task/Job	12 Process Injection	1 Masquerading	OS Credential Dumping	641 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	21 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	21 Registry Run Keys / Startup Folder	251 Virtualization/Sandbox Evasion	Security Account Manager	251 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	12 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	23 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
W1FREE.exe	77%	Virustotal		Browse
W1FREE.exe	81%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
W1FREE.exe	100%	Avira	TR/Spy.Gen
W1FREE.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\system.exe	100%	Avira	TR/Spy.Gen
C:\Users\user\AppData\Roaming\system.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\system.exe	81%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
C:\Users\user\AppData\Roaming\system.exe	77%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
ip-api.com	0%	Virustotal	Browse
choose-throw.gl.at.ply.gg	8%	Virustotal	Browse
206.23.85.13.in-addr.arpa	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
choose-throw.gl.at.ply.gg	8%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	true	0%, Virustotal, Browse	unknown
choose-throw.gl.at.ply.gg	147.185.221.23	true	true	8%, Virustotal, Browse	unknown
206.23.85.13.in-addr.arpa	unknown	unknown	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
choose-throw.gl.at.ply.gg	true	8%, Virustotal, Browse	unknown
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	W1FREE.exe, 00000000.00000002.4187602657.0000000002821000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true
147.185.221.23	choose-throw.gl.at.ply.gg	United States		12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532111
Start date and time:	2024-10-12 12:28:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	W1FREE.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@10/4@4/2
EGA Information:	Successful, ratio: 20%
HCA Information:	Successful, ratio: 100% Number of executed functions: 85 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target system.exe, PID 2140 because it is empty
Execution Graph export aborted for target system.exe, PID 2284 because it is empty
Execution Graph export aborted for target system.exe, PID 2596 because it is empty
Execution Graph export aborted for target system.exe, PID 4340 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:29:07	API Interceptor	16612078x Sleep call for process: W1FREE.exe modified
11:29:07	Task Scheduler	Run new task: system path: C:\Users\user\AppData\Roaming\system.exe
11:29:10	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run system C:\Users\user\AppData\Roaming\system.exe
11:29:18	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run system C:\Users\user\AppData\Roaming\system.exe
11:29:26	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	Tracking#1Z379W410424496200.vbs	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	facturas vencidas, 650098, 0099, 00976, 009668, 009678, 0056598433.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Orden de Compra 097890.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	PO.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Purchase_Order.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	4HyAcc2Dct.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	kUFcZgip68.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	download.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	2ktrFR0W3v.exe	Get hash	malicious	Clipboard Hijacker, Quasar	Browse	ip-api.com/json/
	Vessel_Doc_OCN2613132.bat.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	Tracking#1Z379W410424496200.vbs	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	facturas vencidas, 650098, 0099, 00976, 009668, 009678, 0056598433.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Orden de Compra 097890.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	PO.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Purchase_Order.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	4HyAcc2Dct.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	kUFcZgip68.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	download.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	2ktrFR0W3v.exe	Get hash	malicious	Clipboard Hijacker, Quasar	Browse	208.95.112.1
	Vessel_Doc_OCN2613132.bat.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	Tracking#1Z379W410424496200.vbs	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	facturas vencidas, 650098, 0099, 00976, 009668, 009678, 0056598433.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Orden de Compra 097890.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	PO.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Purchase_Order.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	4HyAcc2Dct.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	kUFcZgip68.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	download.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	2ktrFR0W3v.exe	Get hash	malicious	Clipboard Hijacker, Quasar	Browse	208.95.112.1
	Vessel_Doc_OCN2613132.bat.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
SALSGIVERUS	dHp58IIEYz.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	Lr87y2w72r.exe	Get hash	malicious	XWorm	Browse	147.185.221.18
	7LwVrYH7sy.exe	Get hash	malicious	XWorm	Browse	147.185.221.18
	432mtXKD3l.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	5q4X9fRo4b.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	147.185.221.17
	l18t80u9zg.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	Windows Defender.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	x2Yi9Hr77a.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	e7WMhx18XN.exe	Get hash	malicious	SilentXMRMiner, Xmrig	Browse	147.185.221.22
	SecuriteInfo.com.Trojan.MulDrop28.25270.15094.4444.exe	Get hash	malicious	Njrat	Browse	147.185.221.22

Process:	C:\Users\user\AppData\Roaming\system.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\Desktop\W1FREE.exe
File Type:	Generic INItialization configuration [WIN]
Category:	dropped
Size (bytes):	64
Entropy (8bit):	3.6722687970803873
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
MD5:	DE63D53293EBACE29F3F54832D739D40
SHA1:	1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
SHA-256:	A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
SHA-512:	10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk

Download File

Process:	C:\Users\user\Desktop\W1FREE.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Oct 12 09:29:06 2024, mtime=Sat Oct 12 09:29:06 2024, atime=Sat Oct 12 09:29:06 2024, length=68608, window=hide
Category:	dropped
Size (bytes):	759
Entropy (8bit):	5.025100099488229
Encrypted:	false
SSDEEP:	12:8R50sg41IBSWCggdY//UgLVKK5rfjAcCrH9eSBfBmV:8fB1IBNK+My3lrAVgSBfBm
MD5:	4A7C098B5AA8809D45DC95D5CDBA7559
SHA1:	695CAF3C831637CD41C52643A27CB98B98EAFACE
SHA-256:	66EFB6890CA26718188270C1857D29609A7D7EB9D245AB2C59EC051647547E48
SHA-512:	872C8BE1BC6EA9243CE6B00CEBC31E3CF0D5910644ACB18A6142625A1BCF89235656327C749C656D15318856C06377FD1704E7FFA6750EC2629D659593571D16
Malicious:	false
Reputation:	low
Preview:	L..................F.... ....y.......y.......y..............................t.:..DG..Yr?.D..U..k0.&...&......vk.v.....3......&.0.........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^LY.S...........................%..A.p.p.D.a.t.a...B.V.1.....LY.S..Roaming.@......CW.^LY.S...........................g..R.o.a.m.i.n.g.....`.2.....LY.S .system.exe..F......LY.SLY.S..........................S...s.y.s.t.e.m...e.x.e.......X...............-.......W...................C:\Users\user\AppData\Roaming\system.exe........\.....\.....\.....\.....\.s.y.s.t.e.m...e.x.e.`.......X.......965543...........hT..CrF.f4... ..~T..b...,.......hT..CrF.f4... ..~T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\system.exe

Download File

Process:	C:\Users\user\Desktop\W1FREE.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	68608
Entropy (8bit):	5.963964626880383
Encrypted:	false
SSDEEP:	1536:wxvEVs0WIyYR9hYoQtzJbI0UB+E32zUfOTwDnzRQ:wx8VTy+h/YlbV5oOEDFQ
MD5:	6F7CABF4B4354595F267D7D0860A7264
SHA1:	3743B4D0F283254216471AF3D7A48FEBE1EA3D22
SHA-256:	EF18DAB7131E795B252462E96EEE632DCDE3EACD98E4B58078EB82C74F5BD2A4
SHA-512:	39CC260160567A730656087C76B01CE28FA493B748344BD8215CCEECA8863B89FD8FB0F3F2DC5C647DD0C531048B41744E7117CA985FDFAF96B2B609BA55455B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\system.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\system.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\system.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 81% Antivirus: Virustotal, Detection: 77%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=..g.............................!... ...@....@.. ....................................@.................................P!..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................!......H........a..T.......&.....................................................(.....r...p. ~.H...(.....rU..p. ....s.........s.........s.........s..........r...p. @g..r...p. ..g..rQ..p. .....r...p. =....r...p. .O....((....rC..p. !o...r...p. (.\|..(...-.(+...,.+.(,...,.+.()...,.+.((...,..(T..."(....+.&(....&+..+5sf... .... .'..og...(,...~....-.(\...(N...~....oh...&.-..r...p. .....r?..p. .W...r...p. .(T..r...p. .x!..r;..p. S....r...p. W.R.*.r..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.963964626880383
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	W1FREE.exe
File size:	68'608 bytes
MD5:	6f7cabf4b4354595f267d7d0860a7264
SHA1:	3743b4d0f283254216471af3d7a48febe1ea3d22
SHA256:	ef18dab7131e795b252462e96eee632dcde3eacd98e4b58078eb82c74f5bd2a4
SHA512:	39cc260160567a730656087c76b01ce28fa493b748344bd8215cceeca8863b89fd8fb0f3f2dc5c647dd0c531048b41744e7117ca985fdfaf96b2b609ba55455b
SSDEEP:	1536:wxvEVs0WIyYR9hYoQtzJbI0UB+E32zUfOTwDnzRQ:wx8VTy+h/YlbV5oOEDFQ
TLSH:	3B636B0CB7E90125E1BF9FB61DE63216CB7ABB531803D71F28D901992B23A88C9516F5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=..g.............................!... ...@....@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x41219e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6706053D [Wed Oct 9 04:23:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x12150	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0x4ce	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x16000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x101a4	0x10200	57caa1d2c9beee43e50078cf26a8d5d7	False	0.5952943313953488	data	6.044060316278805	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0x4ce	0x600	ef7668093b44becc378928c94d325834	False	0.375	data	3.7346556064321574	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x16000	0xc	0x200	d23945842d5749028e1c2e51cfb9582e	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x140a0	0x244	data			0.47413793103448276
RT_MANIFEST	0x142e4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-12T12:30:15.795671+0200	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	63601	147.185.221.23	13217	TCP
2024-10-12T12:32:14.514515+0200	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	63770	147.185.221.23	13217	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2024 12:29:06.038145065 CEST	49730	80	192.168.2.4	208.95.112.1
Oct 12, 2024 12:29:06.043087959 CEST	80	49730	208.95.112.1	192.168.2.4
Oct 12, 2024 12:29:06.043170929 CEST	49730	80	192.168.2.4	208.95.112.1
Oct 12, 2024 12:29:06.043679953 CEST	49730	80	192.168.2.4	208.95.112.1
Oct 12, 2024 12:29:06.048616886 CEST	80	49730	208.95.112.1	192.168.2.4
Oct 12, 2024 12:29:06.531672001 CEST	80	49730	208.95.112.1	192.168.2.4
Oct 12, 2024 12:29:06.573265076 CEST	49730	80	192.168.2.4	208.95.112.1
Oct 12, 2024 12:29:08.062927008 CEST	49731	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:08.068160057 CEST	13217	49731	147.185.221.23	192.168.2.4
Oct 12, 2024 12:29:08.068480015 CEST	49731	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:08.109390974 CEST	49731	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:08.114361048 CEST	13217	49731	147.185.221.23	192.168.2.4
Oct 12, 2024 12:29:13.046662092 CEST	13217	49731	147.185.221.23	192.168.2.4
Oct 12, 2024 12:29:13.047143936 CEST	49731	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:14.964471102 CEST	49731	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:14.969722986 CEST	13217	49731	147.185.221.23	192.168.2.4
Oct 12, 2024 12:29:14.970746994 CEST	49732	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:14.975771904 CEST	13217	49732	147.185.221.23	192.168.2.4
Oct 12, 2024 12:29:14.975976944 CEST	49732	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:14.996591091 CEST	49732	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:15.001749039 CEST	13217	49732	147.185.221.23	192.168.2.4
Oct 12, 2024 12:29:19.940664053 CEST	13217	49732	147.185.221.23	192.168.2.4
Oct 12, 2024 12:29:19.940902948 CEST	49732	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:22.683156013 CEST	49732	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:22.685823917 CEST	49739	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:22.688323975 CEST	13217	49732	147.185.221.23	192.168.2.4
Oct 12, 2024 12:29:22.690848112 CEST	13217	49739	147.185.221.23	192.168.2.4
Oct 12, 2024 12:29:22.690972090 CEST	49739	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:22.720134020 CEST	49739	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:22.725382090 CEST	13217	49739	147.185.221.23	192.168.2.4
Oct 12, 2024 12:29:27.651573896 CEST	13217	49739	147.185.221.23	192.168.2.4
Oct 12, 2024 12:29:27.651662111 CEST	49739	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:32.229749918 CEST	49739	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:32.231775999 CEST	49740	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:32.234838009 CEST	13217	49739	147.185.221.23	192.168.2.4
Oct 12, 2024 12:29:32.236944914 CEST	13217	49740	147.185.221.23	192.168.2.4
Oct 12, 2024 12:29:32.237027884 CEST	49740	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:32.255037069 CEST	49740	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:32.261204004 CEST	13217	49740	147.185.221.23	192.168.2.4
Oct 12, 2024 12:29:37.186588049 CEST	13217	49740	147.185.221.23	192.168.2.4
Oct 12, 2024 12:29:37.186676025 CEST	49740	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:39.792232037 CEST	49740	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:39.797355890 CEST	13217	49740	147.185.221.23	192.168.2.4
Oct 12, 2024 12:29:39.806318045 CEST	63476	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:39.811204910 CEST	13217	63476	147.185.221.23	192.168.2.4
Oct 12, 2024 12:29:39.811270952 CEST	63476	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:39.830374002 CEST	63476	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:39.835557938 CEST	13217	63476	147.185.221.23	192.168.2.4
Oct 12, 2024 12:29:44.750646114 CEST	13217	63476	147.185.221.23	192.168.2.4
Oct 12, 2024 12:29:44.750974894 CEST	63476	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:46.729851961 CEST	63476	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:46.731662035 CEST	63478	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:46.735023975 CEST	13217	63476	147.185.221.23	192.168.2.4
Oct 12, 2024 12:29:46.736689091 CEST	13217	63478	147.185.221.23	192.168.2.4
Oct 12, 2024 12:29:46.736749887 CEST	63478	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:46.750807047 CEST	63478	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:46.757204056 CEST	13217	63478	147.185.221.23	192.168.2.4
Oct 12, 2024 12:29:51.699687958 CEST	13217	63478	147.185.221.23	192.168.2.4
Oct 12, 2024 12:29:51.699786901 CEST	63478	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:51.870408058 CEST	63478	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:51.872163057 CEST	63479	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:51.875480890 CEST	13217	63478	147.185.221.23	192.168.2.4
Oct 12, 2024 12:29:51.877001047 CEST	13217	63479	147.185.221.23	192.168.2.4
Oct 12, 2024 12:29:51.877083063 CEST	63479	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:51.896853924 CEST	63479	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:51.902404070 CEST	13217	63479	147.185.221.23	192.168.2.4
Oct 12, 2024 12:29:56.843673944 CEST	13217	63479	147.185.221.23	192.168.2.4
Oct 12, 2024 12:29:56.844152927 CEST	63479	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:58.013168097 CEST	63479	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:58.015815973 CEST	63501	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:58.018021107 CEST	13217	63479	147.185.221.23	192.168.2.4
Oct 12, 2024 12:29:58.020674944 CEST	13217	63501	147.185.221.23	192.168.2.4
Oct 12, 2024 12:29:58.020755053 CEST	63501	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:58.042860031 CEST	63501	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:29:58.047858953 CEST	13217	63501	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:02.977022886 CEST	13217	63501	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:02.979336977 CEST	63501	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:03.244299889 CEST	63501	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:03.249855995 CEST	13217	63501	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:03.266165972 CEST	63534	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:03.271321058 CEST	13217	63534	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:03.275127888 CEST	63534	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:03.392484903 CEST	63534	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:03.397260904 CEST	13217	63534	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:08.925712109 CEST	13217	63534	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:08.925792933 CEST	63534	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:08.926074028 CEST	13217	63534	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:08.926120043 CEST	63534	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:08.926470041 CEST	13217	63534	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:08.926517010 CEST	63534	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:08.948518991 CEST	63534	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:08.950705051 CEST	63565	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:08.953370094 CEST	13217	63534	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:08.955786943 CEST	13217	63565	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:08.955864906 CEST	63565	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:08.976804018 CEST	63565	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:08.981956005 CEST	13217	63565	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:13.919903040 CEST	13217	63565	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:13.920108080 CEST	63565	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:14.260693073 CEST	80	49730	208.95.112.1	192.168.2.4
Oct 12, 2024 12:30:14.260967016 CEST	49730	80	192.168.2.4	208.95.112.1
Oct 12, 2024 12:30:15.526870966 CEST	63565	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:15.528965950 CEST	63601	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:15.532264948 CEST	13217	63565	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:15.534213066 CEST	13217	63601	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:15.534292936 CEST	63601	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:15.719995022 CEST	63601	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:15.725840092 CEST	13217	63601	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:15.795670986 CEST	63601	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:15.800616026 CEST	13217	63601	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:20.507157087 CEST	13217	63601	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:20.507339001 CEST	63601	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:20.870553017 CEST	63601	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:20.873934984 CEST	63635	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:20.876964092 CEST	13217	63601	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:20.879005909 CEST	13217	63635	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:20.879072905 CEST	63635	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:20.928482056 CEST	63635	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:20.933299065 CEST	13217	63635	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:20.964842081 CEST	63635	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:20.969890118 CEST	13217	63635	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:22.949137926 CEST	63635	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:22.954011917 CEST	13217	63635	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:25.214354038 CEST	63635	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:25.219234943 CEST	13217	63635	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:25.832773924 CEST	13217	63635	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:25.832887888 CEST	63635	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:26.027154922 CEST	63635	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:26.031224966 CEST	63670	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:26.032263041 CEST	13217	63635	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:26.036237955 CEST	13217	63670	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:26.036900997 CEST	63670	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:26.123152018 CEST	63670	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:26.432908058 CEST	63670	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:27.042285919 CEST	63670	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:27.137586117 CEST	13217	63670	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:27.137620926 CEST	13217	63670	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:27.137649059 CEST	13217	63670	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:30.986439943 CEST	13217	63670	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:30.986659050 CEST	63670	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:31.136255980 CEST	63670	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:31.141201973 CEST	13217	63670	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:31.142538071 CEST	63696	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:31.147413969 CEST	13217	63696	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:31.147494078 CEST	63696	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:31.182287931 CEST	63696	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:31.187151909 CEST	13217	63696	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:34.871066093 CEST	63696	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:34.875902891 CEST	13217	63696	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:36.080164909 CEST	13217	63696	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:36.081629992 CEST	63696	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:36.215173960 CEST	63696	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:36.215528965 CEST	63728	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:36.220048904 CEST	13217	63696	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:36.220487118 CEST	13217	63728	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:36.220683098 CEST	63728	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:36.368448019 CEST	63728	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:36.373328924 CEST	13217	63728	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:36.386420965 CEST	63728	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:36.391228914 CEST	13217	63728	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:36.401943922 CEST	63728	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:36.406842947 CEST	13217	63728	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:36.417529106 CEST	63728	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:36.422312021 CEST	13217	63728	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:41.189156055 CEST	13217	63728	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:41.189306974 CEST	63728	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:41.433211088 CEST	63728	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:41.434745073 CEST	63753	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:41.439321041 CEST	13217	63728	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:41.440124989 CEST	13217	63753	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:41.440232038 CEST	63753	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:41.723308086 CEST	63753	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:41.728322983 CEST	13217	63753	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:46.390223026 CEST	13217	63753	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:46.390291929 CEST	63753	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:46.545053005 CEST	49730	80	192.168.2.4	208.95.112.1
Oct 12, 2024 12:30:46.550088882 CEST	80	49730	208.95.112.1	192.168.2.4
Oct 12, 2024 12:30:47.339461088 CEST	63753	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:47.342072964 CEST	63754	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:47.344446898 CEST	13217	63753	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:47.347024918 CEST	13217	63754	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:47.347088099 CEST	63754	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:47.385600090 CEST	63754	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:47.390669107 CEST	13217	63754	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:48.527250051 CEST	63754	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:48.532351971 CEST	13217	63754	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:52.297581911 CEST	13217	63754	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:52.299312115 CEST	63754	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:52.495688915 CEST	63754	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:52.497255087 CEST	63755	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:52.501272917 CEST	13217	63754	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:52.502254009 CEST	13217	63755	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:52.502321005 CEST	63755	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:52.540729046 CEST	63755	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:52.546155930 CEST	13217	63755	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:52.558581114 CEST	63755	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:52.563816071 CEST	13217	63755	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:52.605101109 CEST	63755	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:52.610400915 CEST	13217	63755	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:52.636383057 CEST	63755	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:52.641699076 CEST	13217	63755	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:52.667653084 CEST	63755	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:52.672635078 CEST	13217	63755	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:52.683254957 CEST	63755	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:52.688180923 CEST	13217	63755	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:57.488482952 CEST	13217	63755	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:57.488553047 CEST	63755	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:57.729991913 CEST	63755	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:57.733266115 CEST	63756	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:57.734951973 CEST	13217	63755	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:57.738327026 CEST	13217	63756	147.185.221.23	192.168.2.4
Oct 12, 2024 12:30:57.738455057 CEST	63756	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:57.794070959 CEST	63756	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:30:57.799185991 CEST	13217	63756	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:02.740077019 CEST	13217	63756	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:02.740175009 CEST	63756	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:02.826838017 CEST	63756	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:02.831711054 CEST	13217	63756	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:02.838623047 CEST	63757	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:02.843478918 CEST	13217	63757	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:02.843553066 CEST	63757	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:02.891690016 CEST	63757	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:02.896491051 CEST	13217	63757	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:02.902209044 CEST	63757	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:02.907016039 CEST	13217	63757	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:02.933283091 CEST	63757	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:02.938112020 CEST	13217	63757	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:03.042548895 CEST	63757	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:03.047471046 CEST	13217	63757	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:03.120826006 CEST	63757	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:03.125828028 CEST	13217	63757	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:07.792984962 CEST	13217	63757	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:07.793064117 CEST	63757	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:08.137314081 CEST	63757	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:08.137980938 CEST	63758	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:08.142318010 CEST	13217	63757	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:08.142787933 CEST	13217	63758	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:08.142910004 CEST	63758	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:08.360224009 CEST	63758	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:08.365242958 CEST	13217	63758	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:08.433214903 CEST	63758	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:08.438406944 CEST	13217	63758	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:08.448900938 CEST	63758	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:08.453677893 CEST	13217	63758	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:08.495723963 CEST	63758	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:08.500698090 CEST	13217	63758	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:08.511343956 CEST	63758	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:08.516264915 CEST	13217	63758	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:08.542607069 CEST	63758	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:08.547601938 CEST	13217	63758	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:08.558253050 CEST	63758	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:08.563127995 CEST	13217	63758	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:08.605134964 CEST	63758	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:08.610132933 CEST	13217	63758	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:08.651992083 CEST	63758	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:08.657041073 CEST	13217	63758	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:08.667690039 CEST	63758	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:08.672576904 CEST	13217	63758	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:08.714531898 CEST	63758	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:08.719381094 CEST	13217	63758	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:10.261713982 CEST	63758	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:10.266783953 CEST	13217	63758	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:11.637943029 CEST	63758	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:11.711018085 CEST	13217	63758	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:13.112541914 CEST	13217	63758	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:13.112591028 CEST	63758	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:13.793715000 CEST	63758	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:13.793720007 CEST	63759	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:13.798664093 CEST	13217	63758	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:13.798682928 CEST	13217	63759	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:13.804373980 CEST	63759	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:14.005372047 CEST	63759	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:14.010260105 CEST	13217	63759	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:18.784523010 CEST	13217	63759	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:18.784574032 CEST	63759	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:19.073781013 CEST	63759	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:19.075706005 CEST	63760	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:19.078811884 CEST	13217	63759	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:19.080776930 CEST	13217	63760	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:19.080862045 CEST	63760	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:19.115901947 CEST	63760	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:19.121046066 CEST	13217	63760	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:19.277208090 CEST	63760	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:19.282216072 CEST	13217	63760	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:19.355442047 CEST	63760	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:19.360501051 CEST	13217	63760	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:19.386693001 CEST	63760	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:19.391635895 CEST	13217	63760	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:22.980765104 CEST	63760	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:22.985783100 CEST	13217	63760	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:24.014138937 CEST	13217	63760	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:24.017683983 CEST	63760	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:24.484822989 CEST	63760	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:24.489830971 CEST	13217	63760	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:24.494654894 CEST	63761	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:24.499530077 CEST	13217	63761	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:24.499622107 CEST	63761	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:24.535543919 CEST	63761	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:24.540532112 CEST	13217	63761	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:24.589570045 CEST	63761	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:24.594487906 CEST	13217	63761	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:24.605200052 CEST	63761	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:24.610441923 CEST	13217	63761	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:25.339569092 CEST	63761	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:25.344743013 CEST	13217	63761	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:29.449594021 CEST	13217	63761	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:29.449676991 CEST	63761	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:29.622798920 CEST	63761	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:29.622798920 CEST	63762	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:29.627964020 CEST	13217	63761	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:29.627980947 CEST	13217	63762	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:29.631458998 CEST	63762	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:29.691339970 CEST	63762	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:29.696297884 CEST	13217	63762	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:34.597955942 CEST	13217	63762	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:34.598031998 CEST	63762	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:34.933217049 CEST	63762	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:34.934740067 CEST	63763	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:34.938215017 CEST	13217	63762	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:34.939584017 CEST	13217	63763	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:34.939652920 CEST	63763	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:34.973896980 CEST	63763	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:34.978792906 CEST	13217	63763	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:34.995867968 CEST	63763	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:35.000727892 CEST	13217	63763	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:35.011667013 CEST	63763	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:35.016674995 CEST	13217	63763	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:35.027139902 CEST	63763	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:35.339505911 CEST	63763	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:35.949587107 CEST	63763	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:36.059675932 CEST	13217	63763	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:36.059689045 CEST	13217	63763	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:36.059696913 CEST	13217	63763	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:36.636641979 CEST	63763	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:36.641709089 CEST	13217	63763	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:39.901829958 CEST	13217	63763	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:39.902107000 CEST	63763	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:40.089896917 CEST	63763	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:40.092185974 CEST	63764	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:40.094887972 CEST	13217	63763	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:40.097282887 CEST	13217	63764	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:40.097528934 CEST	63764	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:40.150121927 CEST	63764	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:40.368407011 CEST	13217	63764	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:44.386918068 CEST	63764	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:44.391999960 CEST	13217	63764	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:45.076226950 CEST	13217	63764	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:45.076283932 CEST	63764	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:45.167735100 CEST	63764	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:45.170859098 CEST	63765	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:45.172589064 CEST	13217	63764	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:45.175684929 CEST	13217	63765	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:45.175745010 CEST	63765	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:45.209927082 CEST	63765	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:45.214787960 CEST	13217	63765	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:50.126574993 CEST	13217	63765	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:50.129596949 CEST	63765	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:50.277709961 CEST	63765	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:50.282632113 CEST	13217	63765	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:50.284137011 CEST	63766	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:50.289608955 CEST	13217	63766	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:50.289865017 CEST	63766	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:50.512453079 CEST	63766	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:50.517328024 CEST	13217	63766	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:55.217662096 CEST	13217	63766	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:55.217727900 CEST	63766	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:55.542597055 CEST	63766	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:55.544552088 CEST	63767	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:55.547540903 CEST	13217	63766	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:55.549540043 CEST	13217	63767	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:55.549639940 CEST	63767	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:55.645791054 CEST	63767	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:55.651359081 CEST	13217	63767	147.185.221.23	192.168.2.4
Oct 12, 2024 12:31:59.777748108 CEST	63767	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:31:59.783026934 CEST	13217	63767	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:00.515600920 CEST	13217	63767	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:00.521512985 CEST	63767	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:00.714575052 CEST	63767	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:00.716929913 CEST	63768	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:00.793994904 CEST	13217	63767	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:00.794008017 CEST	13217	63768	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:00.794090033 CEST	63768	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:00.823235035 CEST	63768	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:00.828093052 CEST	13217	63768	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:00.839663982 CEST	63768	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:00.844563007 CEST	13217	63768	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:00.855283976 CEST	63768	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:00.860435963 CEST	13217	63768	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:00.886507034 CEST	63768	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:00.891367912 CEST	13217	63768	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:00.934674978 CEST	63768	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:00.939629078 CEST	13217	63768	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:00.964878082 CEST	63768	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:00.969799995 CEST	13217	63768	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:01.042779922 CEST	63768	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:01.047703028 CEST	13217	63768	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:05.730329037 CEST	13217	63768	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:05.735450029 CEST	63768	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:06.074973106 CEST	63769	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:06.075081110 CEST	63768	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:06.080173016 CEST	13217	63769	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:06.080221891 CEST	13217	63768	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:06.080351114 CEST	63769	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:06.223584890 CEST	63769	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:06.228579044 CEST	13217	63769	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:11.055802107 CEST	13217	63769	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:11.056098938 CEST	63769	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:11.277043104 CEST	63769	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:11.280586004 CEST	63770	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:11.281992912 CEST	13217	63769	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:11.285553932 CEST	13217	63770	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:11.285640955 CEST	63770	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:11.316721916 CEST	63770	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:11.321607113 CEST	13217	63770	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:11.433497906 CEST	63770	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:11.438471079 CEST	13217	63770	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:11.464679003 CEST	63770	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:11.469594002 CEST	13217	63770	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:11.574008942 CEST	63770	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:11.579283953 CEST	13217	63770	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:13.168104887 CEST	63770	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:13.173158884 CEST	13217	63770	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:14.514514923 CEST	63770	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:14.519620895 CEST	13217	63770	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:16.267035961 CEST	13217	63770	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:16.273566961 CEST	63770	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:16.746000051 CEST	63770	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:16.747816086 CEST	63771	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:16.751060963 CEST	13217	63770	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:16.752727985 CEST	13217	63771	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:16.752784014 CEST	63771	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:16.782938004 CEST	63771	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:16.787863016 CEST	13217	63771	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:16.792965889 CEST	63771	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:16.797827005 CEST	13217	63771	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:16.839910984 CEST	63771	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:16.844825029 CEST	13217	63771	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:16.933541059 CEST	63771	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:16.938625097 CEST	13217	63771	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:16.949333906 CEST	63771	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:16.954226017 CEST	13217	63771	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:20.418021917 CEST	63771	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:20.423137903 CEST	13217	63771	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:21.675311089 CEST	13217	63771	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:21.675410032 CEST	63771	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:21.967469931 CEST	63771	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:21.968188047 CEST	63772	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:21.972487926 CEST	13217	63771	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:21.973404884 CEST	13217	63772	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:21.973659039 CEST	63772	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:22.087490082 CEST	63772	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:22.092468023 CEST	13217	63772	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:22.933729887 CEST	63772	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:22.938868046 CEST	13217	63772	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:25.933670998 CEST	63772	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:25.938982964 CEST	13217	63772	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:26.933690071 CEST	63772	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:26.939050913 CEST	13217	63772	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:26.959419012 CEST	13217	63772	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:26.959486008 CEST	63772	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:27.511631012 CEST	63772	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:27.514884949 CEST	63773	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:27.516608000 CEST	13217	63772	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:27.520042896 CEST	13217	63773	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:27.520144939 CEST	63773	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:27.582264900 CEST	63773	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:27.587265968 CEST	13217	63773	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:27.589942932 CEST	63773	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:27.594858885 CEST	13217	63773	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:32.449290991 CEST	13217	63773	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:32.449547052 CEST	63773	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:32.731880903 CEST	63773	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:32.736974955 CEST	13217	63773	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:32.758321047 CEST	63774	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:32.763492107 CEST	13217	63774	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:32.763585091 CEST	63774	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:32.915905952 CEST	63774	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:32.920979023 CEST	13217	63774	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:32.949430943 CEST	63774	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:32.954446077 CEST	13217	63774	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:33.012080908 CEST	63774	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:33.017138004 CEST	13217	63774	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:33.042936087 CEST	63774	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:33.047981977 CEST	13217	63774	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:37.693200111 CEST	13217	63774	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:37.693723917 CEST	63774	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:38.042999983 CEST	63774	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:38.046431065 CEST	63775	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:38.048197985 CEST	13217	63774	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:38.051470995 CEST	13217	63775	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:38.051600933 CEST	63775	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:38.165846109 CEST	63775	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:38.171046972 CEST	13217	63775	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:38.199417114 CEST	63775	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:38.204334021 CEST	13217	63775	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:42.996958971 CEST	13217	63775	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:42.997015953 CEST	63775	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:43.308595896 CEST	63775	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:43.311184883 CEST	63776	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:43.313648939 CEST	13217	63775	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:43.316040039 CEST	13217	63776	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:43.316104889 CEST	63776	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:43.402410030 CEST	63776	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:43.407278061 CEST	13217	63776	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:48.263519049 CEST	13217	63776	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:48.263602018 CEST	63776	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:48.449604034 CEST	63776	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:48.451575994 CEST	63777	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:48.454701900 CEST	13217	63776	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:48.456929922 CEST	13217	63777	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:48.457122087 CEST	63777	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:48.658305883 CEST	63777	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:48.663361073 CEST	13217	63777	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:50.589907885 CEST	63777	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:50.594907999 CEST	13217	63777	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:54.311238050 CEST	13217	63777	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:54.311290026 CEST	13217	63777	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:54.311335087 CEST	63777	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:54.311439037 CEST	63777	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:54.311539888 CEST	13217	63777	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:54.311683893 CEST	13217	63777	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:54.311741114 CEST	63777	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:54.311741114 CEST	63777	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:58.871066093 CEST	63777	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:58.874650002 CEST	63778	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:58.876250029 CEST	13217	63777	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:58.879625082 CEST	13217	63778	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:58.879709959 CEST	63778	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:58.913606882 CEST	63778	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:58.918596983 CEST	13217	63778	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:58.949275970 CEST	63778	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:58.954382896 CEST	13217	63778	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:58.965415001 CEST	63778	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:58.970338106 CEST	13217	63778	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:59.043021917 CEST	63778	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:59.048055887 CEST	13217	63778	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:59.058809996 CEST	63778	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:59.063759089 CEST	13217	63778	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:59.137038946 CEST	63778	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:59.142004967 CEST	13217	63778	147.185.221.23	192.168.2.4
Oct 12, 2024 12:32:59.246876955 CEST	63778	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:32:59.252219915 CEST	13217	63778	147.185.221.23	192.168.2.4
Oct 12, 2024 12:33:02.483748913 CEST	63778	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:33:02.489152908 CEST	13217	63778	147.185.221.23	192.168.2.4
Oct 12, 2024 12:33:03.816631079 CEST	13217	63778	147.185.221.23	192.168.2.4
Oct 12, 2024 12:33:03.816777945 CEST	63778	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:33:04.294465065 CEST	63779	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:33:04.294548035 CEST	63778	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:33:04.300741911 CEST	13217	63779	147.185.221.23	192.168.2.4
Oct 12, 2024 12:33:04.300782919 CEST	13217	63778	147.185.221.23	192.168.2.4
Oct 12, 2024 12:33:04.303735018 CEST	63779	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:33:04.419614077 CEST	63779	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:33:04.424933910 CEST	13217	63779	147.185.221.23	192.168.2.4
Oct 12, 2024 12:33:07.574434996 CEST	63779	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:33:07.579720020 CEST	13217	63779	147.185.221.23	192.168.2.4
Oct 12, 2024 12:33:08.262788057 CEST	63779	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:33:08.268059015 CEST	13217	63779	147.185.221.23	192.168.2.4
Oct 12, 2024 12:33:09.327048063 CEST	13217	63779	147.185.221.23	192.168.2.4
Oct 12, 2024 12:33:09.327143908 CEST	63779	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:33:13.261677980 CEST	63779	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:33:13.262914896 CEST	63780	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:33:13.266921997 CEST	13217	63779	147.185.221.23	192.168.2.4
Oct 12, 2024 12:33:13.267843008 CEST	13217	63780	147.185.221.23	192.168.2.4
Oct 12, 2024 12:33:13.267986059 CEST	63780	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:33:13.312597990 CEST	63780	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:33:13.317789078 CEST	13217	63780	147.185.221.23	192.168.2.4
Oct 12, 2024 12:33:18.190805912 CEST	13217	63780	147.185.221.23	192.168.2.4
Oct 12, 2024 12:33:18.190866947 CEST	63780	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:33:22.668360949 CEST	63780	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:33:22.669143915 CEST	63781	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:33:22.673372030 CEST	13217	63780	147.185.221.23	192.168.2.4
Oct 12, 2024 12:33:22.674020052 CEST	13217	63781	147.185.221.23	192.168.2.4
Oct 12, 2024 12:33:22.674385071 CEST	63781	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:33:22.685173035 CEST	63781	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:33:22.690027952 CEST	13217	63781	147.185.221.23	192.168.2.4
Oct 12, 2024 12:33:27.630440950 CEST	13217	63781	147.185.221.23	192.168.2.4
Oct 12, 2024 12:33:27.630568027 CEST	63781	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:33:30.887283087 CEST	63781	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:33:30.887940884 CEST	63782	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:33:30.892309904 CEST	13217	63781	147.185.221.23	192.168.2.4
Oct 12, 2024 12:33:30.892971039 CEST	13217	63782	147.185.221.23	192.168.2.4
Oct 12, 2024 12:33:30.893193960 CEST	63782	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:33:30.902941942 CEST	63782	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:33:30.907885075 CEST	13217	63782	147.185.221.23	192.168.2.4
Oct 12, 2024 12:33:35.878556967 CEST	13217	63782	147.185.221.23	192.168.2.4
Oct 12, 2024 12:33:35.878730059 CEST	63782	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:33:37.794369936 CEST	63783	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:33:37.794378996 CEST	63782	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:33:37.799563885 CEST	13217	63783	147.185.221.23	192.168.2.4
Oct 12, 2024 12:33:37.799604893 CEST	13217	63782	147.185.221.23	192.168.2.4
Oct 12, 2024 12:33:37.799674988 CEST	63783	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:33:37.815481901 CEST	63783	13217	192.168.2.4	147.185.221.23
Oct 12, 2024 12:33:37.820311069 CEST	13217	63783	147.185.221.23	192.168.2.4
Oct 12, 2024 12:33:42.751832008 CEST	13217	63783	147.185.221.23	192.168.2.4
Oct 12, 2024 12:33:42.751924038 CEST	63783	13217	192.168.2.4	147.185.221.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2024 12:29:06.025465965 CEST	51412	53	192.168.2.4	1.1.1.1
Oct 12, 2024 12:29:06.032746077 CEST	53	51412	1.1.1.1	192.168.2.4
Oct 12, 2024 12:29:08.042491913 CEST	53532	53	192.168.2.4	1.1.1.1
Oct 12, 2024 12:29:08.055593014 CEST	53	53532	1.1.1.1	192.168.2.4
Oct 12, 2024 12:29:35.190516949 CEST	53	62322	162.159.36.2	192.168.2.4
Oct 12, 2024 12:29:35.673710108 CEST	61846	53	192.168.2.4	1.1.1.1
Oct 12, 2024 12:29:35.681096077 CEST	53	61846	1.1.1.1	192.168.2.4
Oct 12, 2024 12:29:39.793231010 CEST	62384	53	192.168.2.4	1.1.1.1
Oct 12, 2024 12:29:39.805754900 CEST	53	62384	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 12, 2024 12:29:06.025465965 CEST	192.168.2.4	1.1.1.1	0x53e7	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 12:29:08.042491913 CEST	192.168.2.4	1.1.1.1	0xf8bf	Standard query (0)	choose-throw.gl.at.ply.gg	A (IP address)	IN (0x0001)	false
Oct 12, 2024 12:29:35.673710108 CEST	192.168.2.4	1.1.1.1	0x147b	Standard query (0)	206.23.85.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Oct 12, 2024 12:29:39.793231010 CEST	192.168.2.4	1.1.1.1	0xac60	Standard query (0)	choose-throw.gl.at.ply.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 12, 2024 12:29:06.032746077 CEST	1.1.1.1	192.168.2.4	0x53e7	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Oct 12, 2024 12:29:08.055593014 CEST	1.1.1.1	192.168.2.4	0xf8bf	No error (0)	choose-throw.gl.at.ply.gg		147.185.221.23	A (IP address)	IN (0x0001)	false
Oct 12, 2024 12:29:35.681096077 CEST	1.1.1.1	192.168.2.4	0x147b	Name error (3)	206.23.85.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Oct 12, 2024 12:29:39.805754900 CEST	1.1.1.1	192.168.2.4	0xac60	No error (0)	choose-throw.gl.at.ply.gg		147.185.221.23	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	208.95.112.1	80	6892	C:\Users\user\Desktop\W1FREE.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 12:29:06.043679953 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Oct 12, 2024 12:29:06.531672001 CEST	175	IN	HTTP/1.1 200 OK Date: Sat, 12 Oct 2024 10:29:05 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	06:29:01
Start date:	12/10/2024
Path:	C:\Users\user\Desktop\W1FREE.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\W1FREE.exe"
Imagebase:	0x580000
File size:	68'608 bytes
MD5 hash:	6F7CABF4B4354595F267D7D0860A7264
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1733310879.0000000000582000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1733310879.0000000000582000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.4187602657.0000000002821000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	06:29:06
Start date:	12/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system" /tr "C:\Users\user\AppData\Roaming\system.exe"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:29:06
Start date:	12/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:29:07
Start date:	12/10/2024
Path:	C:\Users\user\AppData\Roaming\system.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\system.exe
Imagebase:	0xdd0000
File size:	68'608 bytes
MD5 hash:	6F7CABF4B4354595F267D7D0860A7264
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\system.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\system.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\system.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 81%, ReversingLabs Detection: 77%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:29:18
Start date:	12/10/2024
Path:	C:\Users\user\AppData\Roaming\system.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\system.exe"
Imagebase:	0xfd0000
File size:	68'608 bytes
MD5 hash:	6F7CABF4B4354595F267D7D0860A7264
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:29:26
Start date:	12/10/2024
Path:	C:\Users\user\AppData\Roaming\system.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\system.exe"
Imagebase:	0x290000
File size:	68'608 bytes
MD5 hash:	6F7CABF4B4354595F267D7D0860A7264
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:30:01
Start date:	12/10/2024
Path:	C:\Users\user\AppData\Roaming\system.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\system.exe
Imagebase:	0xcb0000
File size:	68'608 bytes
MD5 hash:	6F7CABF4B4354595F267D7D0860A7264
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:31:00
Start date:	12/10/2024
Path:	C:\Users\user\AppData\Roaming\system.exe
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	68'608 bytes
MD5 hash:	6F7CABF4B4354595F267D7D0860A7264
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	06:32:00
Start date:	12/10/2024
Path:	C:\Users\user\AppData\Roaming\system.exe
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	68'608 bytes
MD5 hash:	6F7CABF4B4354595F267D7D0860A7264
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	25.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	30%
Total number of Nodes:	10
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B7F0860 Relevance: 2.0, Strings: 1, Instructions: 734
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CAM_^, xrefs: 00007FFD9B7F1978

Memory Dump Source

Source File: 00000000.00000002.4191945477.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_W1FREE.jbxd

Similarity

API ID:
String ID: CAM_^
API String ID: 0-3136481660
Opcode ID: ae6e0d8153c46069c4b89d24af5ee93ffe68a379a45638aa658e509bdc2e544b
Instruction ID: 66791eb28d44e9fc3a60bfa977b25cc19cc4279b14dbdda06271e11d409ab9c8
Opcode Fuzzy Hash: ae6e0d8153c46069c4b89d24af5ee93ffe68a379a45638aa658e509bdc2e544b
Instruction Fuzzy Hash: B432C961B29A494FE758EB78847577D77D2FF98300F4546B9E04EC33E6DE28A8018781

Function 00007FFD9B7F1719 Relevance: 1.9, Strings: 1, Instructions: 691
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CAM_^, xrefs: 00007FFD9B7F1978

Memory Dump Source

Source File: 00000000.00000002.4191945477.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_W1FREE.jbxd

Similarity

API ID:
String ID: CAM_^
API String ID: 0-3136481660
Opcode ID: 36db1b05cf40c5da5942f75cfdfc8b95dfc804883b687143305ac2628ccec678
Instruction ID: 6a42541082bae8a6a4b6907dced6340e1f761df6b98f77e7ef5b47df92fb4818
Opcode Fuzzy Hash: 36db1b05cf40c5da5942f75cfdfc8b95dfc804883b687143305ac2628ccec678
Instruction Fuzzy Hash: 2222D861B19A4D4FE7A8EB788475ABD77D2FF98300F4145B9E04EC32E6DE2869018781

Function 00007FFD9B7F7A71 Relevance: 1.6, APIs: 1, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32 ref: 00007FFD9B7F7B20

Memory Dump Source

Source File: 00000000.00000002.4191945477.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_W1FREE.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 948e8700b8ab73b5b161652c8cb3b78618ffcae38916ec7f737b0c44735fbdf5
Instruction ID: dfb276b01ff4c7befb2df76d5ff9b6345ffdbaf7dd9fe5105ce89e5b9e953d23
Opcode Fuzzy Hash: 948e8700b8ab73b5b161652c8cb3b78618ffcae38916ec7f737b0c44735fbdf5
Instruction Fuzzy Hash: CD31F3319086588FCB58DF58C886AE97BF0FFA5311F05426ED489D7292DB34A846CB91

Function 00007FFD9B7F60B6 Relevance: .5, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4191945477.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_W1FREE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d711942e2319a7acd30b06503aa947eaf31571e9e9b77bab158815fe2a79ea85
Instruction ID: cc3d1bfbd4fc3ab64483a3063cc9bdd2ce5ab41920dc6f1091d9166aebe93a70
Opcode Fuzzy Hash: d711942e2319a7acd30b06503aa947eaf31571e9e9b77bab158815fe2a79ea85
Instruction Fuzzy Hash: CAF1A630A19A4D4FEBA8DF28C855BE93BD1FF54310F04426AE85DC72A5DB34E945CB82

Function 00007FFD9B7F6E62 Relevance: .5, Instructions: 456
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4191945477.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_W1FREE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf318357320ad6a3fc316e748b1e4faaa75960acb205f8efb01e4cdfc3d47ad7
Instruction ID: 62492974a52aea2454e807097a02626c205a3c5f0f185ff7c659f6fabccb6070
Opcode Fuzzy Hash: bf318357320ad6a3fc316e748b1e4faaa75960acb205f8efb01e4cdfc3d47ad7
Instruction Fuzzy Hash: 71E1B230B08A4E4FEBA8DF28C8557E97BD1FF54310F14426AE84DC72A5DE78A9458BC1

Function 00007FFD9B7F2381 Relevance: .4, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4191945477.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_W1FREE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 085410d65cdfeb2ecd1d0e5c43e3d55f0d3e7c2341b24734fe94532d2ecb4a00
Instruction ID: d89519331abdcaeb8e82f67fd3b2f4adafbcec72846c7f114fcee48d5f17f1f2
Opcode Fuzzy Hash: 085410d65cdfeb2ecd1d0e5c43e3d55f0d3e7c2341b24734fe94532d2ecb4a00
Instruction Fuzzy Hash: 34C1DA70F1DA4D4FEB98EBA884757B97BD1EF98300F454279E04EC32E6DE28A8014785

Function 00007FFD9B7F20ED Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4191945477.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_W1FREE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cba9d3b496dc806e5eb1593d88d0ede5f0eb19559ce0b0b863a475c10b82df9
Instruction ID: 87f3e6e26496dc643540df61650bcecffe1768b31d46eadb8a318e80135341d0
Opcode Fuzzy Hash: 9cba9d3b496dc806e5eb1593d88d0ede5f0eb19559ce0b0b863a475c10b82df9
Instruction Fuzzy Hash: 1D510010B1E6C94FD79AABB848746B57FE4DF47219B0801FAE09DC71E7DD181806C38A

Function 00007FFD9B7F95DD Relevance: 1.7, APIs: 1, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FFD9B7F9702

Memory Dump Source

Source File: 00000000.00000002.4191945477.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_W1FREE.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: 62e43c2578922d5b9ad49e0da39816e40ef151dd1bd99b046a3f6e2959cbadea
Instruction ID: f23230c2e254d11441bbadd35ba4352c1570500a14bde993b96a1966f4bb8cad
Opcode Fuzzy Hash: 62e43c2578922d5b9ad49e0da39816e40ef151dd1bd99b046a3f6e2959cbadea
Instruction Fuzzy Hash: DC510431A0D7894FDB29DBAC9869AF87FE0EF56210F1841BFD0DAC7193CA245446C791

Function 00007FFD9B7F9B58 Relevance: 1.6, APIs: 1, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFD9B7F9C21

Memory Dump Source

Source File: 00000000.00000002.4191945477.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_W1FREE.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 9896bd1d0bac0dfd4b2bd88f4ce88e78e137db6a2d8fd6dbec6092d431d726da
Instruction ID: 2c7fd3891adcd83c3be554880030698052fa666d0837fcc60d194a881c8940d6
Opcode Fuzzy Hash: 9896bd1d0bac0dfd4b2bd88f4ce88e78e137db6a2d8fd6dbec6092d431d726da
Instruction Fuzzy Hash: E531E830A1CA5D8FDB58DF68985A6F9BBE1EB59321F00427ED05DC3292CA75A812C7C1

Non-executed Functions

Function 00007FFD9B7F108D Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4191945477.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_W1FREE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac3efc0006fbc9a75b41905f500fc4187ae4a7cf7ca04572dd17d9e8bf25455b
Instruction ID: 5404944689230b5a7580de194c41b0532bf4742b1e0856ba0e848bd0bf2265f4
Opcode Fuzzy Hash: ac3efc0006fbc9a75b41905f500fc4187ae4a7cf7ca04572dd17d9e8bf25455b
Instruction Fuzzy Hash: E691E51BF0E1A54AD715F7F874698ED7F20DF8233AB1A82F7D0998A4E7DC08604982D5

Analysis Process: system.exePID: 2596, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B7E1038 Relevance: .8, Instructions: 767COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1827022405.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 215a06e289c7f6c80c791d47949c8b20e232c05123b85ffa184125ca2c57997d
Instruction ID: 3f34310604c97d46518375e7639532b84500fcdf61e12cc039c13e2fd231cc12
Opcode Fuzzy Hash: 215a06e289c7f6c80c791d47949c8b20e232c05123b85ffa184125ca2c57997d
Instruction Fuzzy Hash: 48B1F22BF0D6A50AD315B7BC78659EE7F60DF8137A71A81B7D1C98E4E78C04244682D4

Function 00007FFD9B7E1719 Relevance: .7, Instructions: 691COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1827022405.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bf2b3044b5062937b6aad14071ba831b6c198d3935268f2a96a1594ec9022cf
Instruction ID: 6746352309bfe7dd42ea792471cca649669e368a24a79fa30733227df453303f
Opcode Fuzzy Hash: 4bf2b3044b5062937b6aad14071ba831b6c198d3935268f2a96a1594ec9022cf
Instruction Fuzzy Hash: EA22A721B19A4D4FE7A8FB788476BB9B7D1EF98304F5505B9E04EC32F6DD2868018741

Function 00007FFD9B7E20ED Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1827022405.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f136df35f9ceddad5c2f9a32d60482d9ffec0881f93126011bbb31db95b4f73
Instruction ID: b90cf23e98a2dbc96102d1d38d0296cd1c1e597b8d948d1d2d4fe938acb835f4
Opcode Fuzzy Hash: 4f136df35f9ceddad5c2f9a32d60482d9ffec0881f93126011bbb31db95b4f73
Instruction Fuzzy Hash: 6A510E10B1E6C94FD79AABB848746A6BFE4DF87219B0801FAE09DC71F7DD181906C342

Function 00007FFD9B7E0AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

9N_^, xrefs: 00007FFD9B7E0B01

Memory Dump Source

Source File: 00000003.00000002.1827022405.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID: 9N_^
API String ID: 0-1737749909
Opcode ID: 2b2219622e52841b6d20fee5594626b1ce3f552edb0491e9cdd7a22fccba6535
Instruction ID: d7e0d6ad8f56748719d049d2d1628382f745735ca7332b895a53cfcae48b34b3
Opcode Fuzzy Hash: 2b2219622e52841b6d20fee5594626b1ce3f552edb0491e9cdd7a22fccba6535
Instruction Fuzzy Hash: CB616A2AF0966A8BD705F7BCA466AEC7BB1EFC4329B1541B6D01DC71E7CD28644283D0

Function 00007FFD9B7E0E8E Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

4N_^, xrefs: 00007FFD9B7E1001

Memory Dump Source

Source File: 00000003.00000002.1827022405.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID: 4N_^
API String ID: 0-2516135240
Opcode ID: f8dadbe635b60e180a60590db778ec132d2730746d99e8ad1e3663972dc95feb
Instruction ID: 809d2df494755ad015f4f34e37d261e60a11b1815f0b77d38a9421a86455cf9b
Opcode Fuzzy Hash: f8dadbe635b60e180a60590db778ec132d2730746d99e8ad1e3663972dc95feb
Instruction Fuzzy Hash: E6512A21B0D68A0FE396A77C5866AB93FE1DF8622474941FBD08DCB1E7DC1C5C468352

Function 00007FFD9B7E1208 Relevance: .5, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1827022405.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01b4415ff4431bdd1cf3de949cc955c318d07f0846ef781390602cfa8423b76c
Instruction ID: fb5f096cc3b636ffd8c9fa073ac2cc6dd3865cd5b096a4e14f842f4eab52fb02
Opcode Fuzzy Hash: 01b4415ff4431bdd1cf3de949cc955c318d07f0846ef781390602cfa8423b76c
Instruction Fuzzy Hash: 6741D327E0D3E54BD712F7BC68764EA7FB0DF8222971A85F7D0D98A4A3DC0824458794

Function 00007FFD9B7E1220 Relevance: .5, Instructions: 530COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1827022405.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c6339d0ed0add8f199dac86453d2e90c62e9781bc1bddf87791c59827529e54
Instruction ID: 20fb4b1e36700f0e350bfc29b0adbb83dfb7ba36ac1ccdf65c31a4ea8003563d
Opcode Fuzzy Hash: 1c6339d0ed0add8f199dac86453d2e90c62e9781bc1bddf87791c59827529e54
Instruction Fuzzy Hash: 2A41D427E0D2E54BD711F7B868764EE7F70EF82269B1A81F7D0D9CA0A3DC0824058794

Function 00007FFD9B7E0985 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1827022405.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a38fa87dbc1a61898da33f1294bce520712e24efa85b7111f4e31377eaac90b8
Instruction ID: e1a8bc87b79e0e6281c6e5defd176fef76aa3691f1db7ce6c2808e72b7e33445
Opcode Fuzzy Hash: a38fa87dbc1a61898da33f1294bce520712e24efa85b7111f4e31377eaac90b8
Instruction Fuzzy Hash: 9FA1692BB0866A8BD701BBBCB8656ED7BB0EFC137AB1541B7C149CA1D3CD24644687C0

Function 00007FFD9B7E09D3 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1827022405.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 314e17bf491f1250edc64e108c4b6cf03b4ee12ddf3dfadb4f10c7e94693e4b3
Instruction ID: c042d7f4ca59571c7f8a4881cc8f32c2c489af2db5447543abc8a0d7389bdde2
Opcode Fuzzy Hash: 314e17bf491f1250edc64e108c4b6cf03b4ee12ddf3dfadb4f10c7e94693e4b3
Instruction Fuzzy Hash: FF917C2BB0896A8BD704BBBCB8156ED7BA0EFC433AB5581B7C149CB1D7CD24604687C0

Function 00007FFD9B7E0A08 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1827022405.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 367b3db465e1964470d31b6fed17a8572c8dd36b0f74d12fbec163c992b67013
Instruction ID: 7ea03d5c1026eca9eebd6bf717a588f66cb5a6fc9604b7b421588b4c8ae76c9e
Opcode Fuzzy Hash: 367b3db465e1964470d31b6fed17a8572c8dd36b0f74d12fbec163c992b67013
Instruction Fuzzy Hash: AF815C2BB0896A8BD704BBBCB8256ED7BA0EFC437AB1581B7D149C71D7CD24644687C0

Function 00007FFD9B7E0A10 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1827022405.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7e72ec9e42dedbfce9c06a28858ecc7a628edb591d944d1edead1abc209deb
Instruction ID: afb8315f5182edd7b9af9621bd94224478e6988f1c042c94f1a69744bf9687fe
Opcode Fuzzy Hash: 1e7e72ec9e42dedbfce9c06a28858ecc7a628edb591d944d1edead1abc209deb
Instruction Fuzzy Hash: A7814C2BB0896A8BD704BBBCB8156ED7BA0EFC437AB1581B7D149C71D7CD24644687C0

Function 00007FFD9B7E0A48 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1827022405.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65cc74fe0af2cc10ddc8d267192ca957423a7fc03b0873286529eacdcf2a6895
Instruction ID: fa14c470baf71f11dfc205896663261cdf09bdd5336224ade102ee6f89bb37eb
Opcode Fuzzy Hash: 65cc74fe0af2cc10ddc8d267192ca957423a7fc03b0873286529eacdcf2a6895
Instruction Fuzzy Hash: D7713A3BB08A6A8AD704BB7CA8656ED7BA0EFC4329B1541B7D149C71D7CD246446C7C0

Function 00007FFD9B7E0620 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1827022405.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0912c6fcc4db7f68c85981788b41e4ffbe1b16ca97f1240de1eb69e0cc307c69
Instruction ID: ccae89b57873b35fb885e948250f40df54fcd4e0db9c439782495248f8068dbd
Opcode Fuzzy Hash: 0912c6fcc4db7f68c85981788b41e4ffbe1b16ca97f1240de1eb69e0cc307c69
Instruction Fuzzy Hash: 8731C321B1C9490FE798EE6C846A679B6C2EF98305F0505BEF00EC32E7DD68AC028341

Function 00007FFD9B7E0D21 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1827022405.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c9fa911a565036385c1602f91e5f6365c7bbb7b7ca27f8a69234fea9812548b
Instruction ID: d357ddc12a23f80e0356d8d9555dac9b94527a6ba35331538837cdd64b9ec698
Opcode Fuzzy Hash: 7c9fa911a565036385c1602f91e5f6365c7bbb7b7ca27f8a69234fea9812548b
Instruction Fuzzy Hash: E2310A11F18A491FEB44BBBC586A7BD76D1EFD8715F0542BAE00DC32E7DD2868418392

Function 00007FFD9B7E0BDC Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1827022405.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9960e63c2b646ce3d197cf572fed00fdf9a3e1bfdf85a9db3730ecc01c2be7
Instruction ID: 400d5de4dc86ebb13bff5c0603dbe4fa81dd9eb5e2507b12ab9cdf911a0fbeb8
Opcode Fuzzy Hash: ab9960e63c2b646ce3d197cf572fed00fdf9a3e1bfdf85a9db3730ecc01c2be7
Instruction Fuzzy Hash: 5B41D230B19A4E8FDB45EBA88865AEDBBF1FF98304F5541B9E009C32E6CD3868018741

Function 00007FFD9B7E0847 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1827022405.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44bcd3e2f391975d38ad5cd3fcbcba451e69cac2c4189fc2fc8edfb4457c3192
Instruction ID: d08a8daaedcc97dc77436e73c1de093dee8777e1bb741e5fdc38312e0d61b9ae
Opcode Fuzzy Hash: 44bcd3e2f391975d38ad5cd3fcbcba451e69cac2c4189fc2fc8edfb4457c3192
Instruction Fuzzy Hash: 8D31B235B0498D8BD785EB5890A99E9BBE1FFD4314BD185F5E049C339ACD2868058750

Function 00007FFD9B7E0865 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1827022405.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d85b16a402aa5e2d6a46710887553101743722668cfc7245e1f3214119743c
Instruction ID: a71c802ed991df6035ecc7178b4185026edb5046cf2decf55f6d94e34f9f8847
Opcode Fuzzy Hash: 76d85b16a402aa5e2d6a46710887553101743722668cfc7245e1f3214119743c
Instruction Fuzzy Hash: 8931A134B19A8D8FD785EB2880B99ECBFF1FFD4204B9184E5E449C33DACD2868018751

Function 00007FFD9B7E0870 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1827022405.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc17ac36257bb44da19edc8c6c8e3b25a21632b83f4c6e9a469e53be547359e
Instruction ID: 8e798747fc04d5d44ee56227be55257d255f5e97928f65b63ac843c00924af5d
Opcode Fuzzy Hash: 0cc17ac36257bb44da19edc8c6c8e3b25a21632b83f4c6e9a469e53be547359e
Instruction Fuzzy Hash: B2218134B19ACD8FD785EB2880B99EDBFF1AFD8204BD184E5E409C33DACD2858058751

Function 00007FFD9B7E22B1 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1827022405.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7e0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b063a13740539efe7ebf6be42df51ff7dd9d979888d839fa648c158fab65de3a
Instruction ID: d7d30549694c513461d8585c216a05fcadb6ade5350df373f285fe08e524090d
Opcode Fuzzy Hash: b063a13740539efe7ebf6be42df51ff7dd9d979888d839fa648c158fab65de3a
Instruction Fuzzy Hash: DD012615A0DBD94FEB52A63858658B5BFE0CFD2214B0902FAF889C61F7D8085B45C3A2

Analysis Process: system.exePID: 2140, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9B7D1038 Relevance: .8, Instructions: 765COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1938933016.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b7d0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3bfe1bc96318a86da2cb7ea87a6f44f531983f25be6f40ca11d8e0d1273110
Instruction ID: bf7dba85e757658dc82f3643a31f1cdf7fabaae519b97c173ba81cae83ecf75c
Opcode Fuzzy Hash: 6b3bfe1bc96318a86da2cb7ea87a6f44f531983f25be6f40ca11d8e0d1273110
Instruction Fuzzy Hash: 20B1032BF0D6A60AD315F7BD74659ED3B20DFC137AB1A82F7D18D8E4E78D04244A8294

Function 00007FFD9B7D1719 Relevance: .7, Instructions: 691COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1938933016.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b7d0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bba045bf1e47b5210a9fa7fce6dd44271cbe7cdefc751bfd270613caf0f22b63
Instruction ID: f31228aa26a998952228a94d463a47344eded7d83688fc4444a9f3edfbf03dc3
Opcode Fuzzy Hash: bba045bf1e47b5210a9fa7fce6dd44271cbe7cdefc751bfd270613caf0f22b63
Instruction Fuzzy Hash: 0822E720B19A4D4FE7A8FB788475BBC76D2EFD8345F4506B9E04EC32E6DE2868018741

Function 00007FFD9B7D20ED Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1938933016.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b7d0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d934f11e430338a03197c86235fafc8048afff42dfeaf26f1c99e6571f945c49
Instruction ID: 9e6f31dcb5ad4b1b589093bf7fd3838b6e3c02df905b0b938c6a5f53d583a33d
Opcode Fuzzy Hash: d934f11e430338a03197c86235fafc8048afff42dfeaf26f1c99e6571f945c49
Instruction Fuzzy Hash: D0512110B1E6C94FD796ABB888746757FE4DF87219B0802FAE09DC71E7DD081806C342

Function 00007FFD9B7D0AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

9O_^, xrefs: 00007FFD9B7D0B01

Memory Dump Source

Source File: 00000007.00000002.1938933016.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b7d0000_system.jbxd

Similarity

API ID:
String ID: 9O_^
API String ID: 0-1716625314
Opcode ID: f38d28d38aa42abdb27d68a71cc1e7c4227591c779cb25b3544c958d63546dc4
Instruction ID: e1067a612cc598ef49adabaaf2bbf3e74ff7086083fc90ac708bc35f7b58a4c9
Opcode Fuzzy Hash: f38d28d38aa42abdb27d68a71cc1e7c4227591c779cb25b3544c958d63546dc4
Instruction Fuzzy Hash: F4615D2AF0D55A8AD704F7BCA425AEC37B1EFC432AB1546B6D05DC71D7CD28648AC390

Function 00007FFD9B7D0E8E Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

4O_^, xrefs: 00007FFD9B7D1001

Memory Dump Source

Source File: 00000007.00000002.1938933016.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b7d0000_system.jbxd

Similarity

API ID:
String ID: 4O_^
API String ID: 0-2486912895
Opcode ID: ae5a076cf5879194c242a6257079c772a44de00a16962502980ef3b81d8dbdd5
Instruction ID: b9d868dadb41d0f3fa09e738ebf3d729588a9e1d5a219187405cf824d1fc5fe7
Opcode Fuzzy Hash: ae5a076cf5879194c242a6257079c772a44de00a16962502980ef3b81d8dbdd5
Instruction Fuzzy Hash: 6C512921B0D68A0FE396AB785875AB93BE1DFC622570941FBD08DC71E7DC185C468352

Function 00007FFD9B7D1208 Relevance: .5, Instructions: 538COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1938933016.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b7d0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b3f842b3ef0ce60a7220d0e7fb6e9bf5d99b83474409610e0f15d9708bcbbff
Instruction ID: a420d83dee0ce0fe54450d647f252d6fd5eb5af61169cdc51b701e44ce8d52c0
Opcode Fuzzy Hash: 2b3f842b3ef0ce60a7220d0e7fb6e9bf5d99b83474409610e0f15d9708bcbbff
Instruction Fuzzy Hash: 8541D627E0D2E64BD711F7BC64B54EA7F70DF8222971A41F7D0D98E4A3DD18244A8294

Function 00007FFD9B7D1220 Relevance: .5, Instructions: 528COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1938933016.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b7d0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df20807bb9da80084be412623989b8e583c426c0eef02ab032e8c79c2f906115
Instruction ID: 00cf39362b3313186f99254c339c1beec275aea6b8af55f2e237227b6dbf42ca
Opcode Fuzzy Hash: df20807bb9da80084be412623989b8e583c426c0eef02ab032e8c79c2f906115
Instruction Fuzzy Hash: E741E627E0D2D64BD311F7BC64754E97B70DF82269B0A41F7D0D98E0A3DD18244A8294

Function 00007FFD9B7D0985 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1938933016.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b7d0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27622afd94d9b9a94553e84bcf99e34ea1ea0dc2a2cbafa89ff679f34c35dba3
Instruction ID: b728d6b4aad018ec389a13b1c1459e4127c02612404574e3eca653644695c1da
Opcode Fuzzy Hash: 27622afd94d9b9a94553e84bcf99e34ea1ea0dc2a2cbafa89ff679f34c35dba3
Instruction Fuzzy Hash: F9A1692BB08AAA8AD704BB7CB4656EC7B60EFC4336B1545B7C14DCA1C7CD24648AC7D0

Function 00007FFD9B7D09D3 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1938933016.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b7d0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9f4af01bcb45e257bd450ca665c300ac26a54f0ee48706e230c8ea9adeaf4b0
Instruction ID: 2dd7468b4d0ee6cf00298ff5596c797c19341576e7479e5326ebebdbc0964edd
Opcode Fuzzy Hash: c9f4af01bcb45e257bd450ca665c300ac26a54f0ee48706e230c8ea9adeaf4b0
Instruction Fuzzy Hash: 4B91292BB0895A8AD704BB7DB425AED7BA0EFC4336B1546B7C14DCA1D7CD24648AC3D0

Function 00007FFD9B7D0A08 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1938933016.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b7d0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39ff4585e1b39488366d23bde18ebc6705063a6c2ca6b27a806b44cae2e61b07
Instruction ID: 52c601bb7020b891ba933d382aba2bca46676447d5625f37fe02705913268b53
Opcode Fuzzy Hash: 39ff4585e1b39488366d23bde18ebc6705063a6c2ca6b27a806b44cae2e61b07
Instruction Fuzzy Hash: B1814A2BB0895A8AD704BB7CB425AED7BA1EFC4336B1546B7C14DCA1C7CD24648AC7D0

Function 00007FFD9B7D0A10 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1938933016.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b7d0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6e8df0cf5ed5c5dbfc83efd9ab5fa24bab39b328ea1623ba47c9e52fde0edf6
Instruction ID: a0004ee121c0116ed96aad145add1a4f60897ddad0359fdb9009a9e1b6c3298f
Opcode Fuzzy Hash: e6e8df0cf5ed5c5dbfc83efd9ab5fa24bab39b328ea1623ba47c9e52fde0edf6
Instruction Fuzzy Hash: 05815B2BB0895A8AD704BB7CB425AED7BA0EFC4336B1546B7C14DCA1C7CD24648AC7D0

Function 00007FFD9B7D0A48 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1938933016.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b7d0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec452235454b7f977079b8170c7ed1e8a325103119f5852f28da1aae6462a1cc
Instruction ID: 3737fd29c1f812dc990fa527ac5a3b3c0bf8751d0e55ae100f085228cac96f0d
Opcode Fuzzy Hash: ec452235454b7f977079b8170c7ed1e8a325103119f5852f28da1aae6462a1cc
Instruction Fuzzy Hash: 83717B3BB0895A8AD704BB7CA425AEC7BA0EFC4326B1545B7C14DCB1C7CE24648AC3D0

Function 00007FFD9B7D0620 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1938933016.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b7d0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62eb46ff2fbec350c936625f05e964624293f88a0b822055e251d96efcad215a
Instruction ID: 7129ce8125f31e1276dd134611ba2c52c45fed51c190d0209121602765c90136
Opcode Fuzzy Hash: 62eb46ff2fbec350c936625f05e964624293f88a0b822055e251d96efcad215a
Instruction Fuzzy Hash: 7131C321B1C94D0FE798EE6C8469679B6C2EFD8345F0546BAE01EC32E7DD28AC428341

Function 00007FFD9B7D0D21 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1938933016.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b7d0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddef1a01094a226805539bdaf4fc73121984a84e1f9bdc64f5152f5993d517e5
Instruction ID: 855071aff8abf1f3dffd38f28072886334e55c3e1fcfb3f9597caf4108be3220
Opcode Fuzzy Hash: ddef1a01094a226805539bdaf4fc73121984a84e1f9bdc64f5152f5993d517e5
Instruction Fuzzy Hash: C431E621F18A490FEB44BBAC58697BD72D1EFD8751F0143BAE00DC32D6DE2868418392

Function 00007FFD9B7D0BDC Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1938933016.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b7d0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99223068fc3e06cf41ea1dd9f07568a9ce4d81425df66f9f420d4ef7d768cd55
Instruction ID: b347a094d9a3aab8ed5a5357fbd7e7a4b699c4bcf7ca57fd8e9719d19c134b24
Opcode Fuzzy Hash: 99223068fc3e06cf41ea1dd9f07568a9ce4d81425df66f9f420d4ef7d768cd55
Instruction Fuzzy Hash: 4941A334B18A8E8FDB48EB688475AED77B2FF88305F5505B5D009D32DACE386805C751

Function 00007FFD9B7D0847 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1938933016.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b7d0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99467e774519612cca50687fbbe78fcca611010fc853fc0c12d2ad27befd9a6e
Instruction ID: f6002d8f57b9e974de8b374d4f462973123cbe441b44cf7083738af8bf239e89
Opcode Fuzzy Hash: 99467e774519612cca50687fbbe78fcca611010fc853fc0c12d2ad27befd9a6e
Instruction Fuzzy Hash: B931B439B0898D9FD388EB5C90A5AEDB7B1FFC4216B8145B5D448C339ACE286906C760

Function 00007FFD9B7D0865 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1938933016.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b7d0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589566299f9216cae57a27953ad1d90ac9e11d89323ee9f8f056ef2298bfd3c7
Instruction ID: 4ece8d88284d53dffec20f37289b36eb5b987d8f61edebfe78bd979c3b3a19ce
Opcode Fuzzy Hash: 589566299f9216cae57a27953ad1d90ac9e11d89323ee9f8f056ef2298bfd3c7
Instruction Fuzzy Hash: 1F318138B19ACD9FD389EB2C80B49ECBBB2AFC4206B8145E5D448C339ECA285905C751

Function 00007FFD9B7D0870 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1938933016.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b7d0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd59785c1a184df0f6379444828a4b42d615be5a67367d1476c4f120db17abc
Instruction ID: 57c408f2fdb92b6bc6b76294297186d87b95555fc11997e247c9ab5e8f18b33b
Opcode Fuzzy Hash: 1cd59785c1a184df0f6379444828a4b42d615be5a67367d1476c4f120db17abc
Instruction Fuzzy Hash: C0219338A1C6CD9FD389EB2C80A49ECBBB2AFC4206B8144E5D44DC33DECE285905C751

Function 00007FFD9B7D22B1 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1938933016.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b7d0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df57d542cbcdee1b1868cd235861ac029ec80b4d9966360dd7e09dd644c81272
Instruction ID: ef3273cd9a5b57be3d19b34b1c258767ca9901a21cd2ee5c7b03cad4352906cb
Opcode Fuzzy Hash: df57d542cbcdee1b1868cd235861ac029ec80b4d9966360dd7e09dd644c81272
Instruction Fuzzy Hash: B9017B14A0D7884FE751AA3858618757FE0DFC1241B0903BBF888C60F7D9086A46C3A2

Analysis Process: system.exePID: 2284, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9B801038 Relevance: .8, Instructions: 756COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2018730693.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b800000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3acb4304581ba30ac7202c8cdfc71f6ed2674a51ef85cce1df85d5eb1773b38
Instruction ID: 5f99af1f45ec7fe6d752b0860dc056d5fa611966d70798f9392aa11a4b1920ad
Opcode Fuzzy Hash: c3acb4304581ba30ac7202c8cdfc71f6ed2674a51ef85cce1df85d5eb1773b38
Instruction Fuzzy Hash: 0AB1F427F0D5A60AD316F7BC74658ED7B60DF8237A71A81B7D0DD8E0E78C05204A86D5

Function 00007FFD9B801719 Relevance: .7, Instructions: 691COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2018730693.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b800000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5aa1b46a5f39de5ee0e8ded2cc77b6f58bd06a548c28032f14e6c8e693fbcf7
Instruction ID: 00234064b5c7e28439286190762ce4cd8ddf3a4a9c6ee8adc168d89f9bd26352
Opcode Fuzzy Hash: b5aa1b46a5f39de5ee0e8ded2cc77b6f58bd06a548c28032f14e6c8e693fbcf7
Instruction Fuzzy Hash: 2622E821B29A4D4BE7A8FF6884B96FD77D2FF99344F4104B9E04EC32D6DD28A9018741

Function 00007FFD9B8020ED Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2018730693.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b800000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc5db2d74a276d5cc9276867e5550f8aa7c00f7846473f5018d4d1dd930bbdd8
Instruction ID: 0ad53e277c0b2bcff8abf9d58261dbeeaf43c79f5b6b1f2c815d94cd54d19867
Opcode Fuzzy Hash: dc5db2d74a276d5cc9276867e5550f8aa7c00f7846473f5018d4d1dd930bbdd8
Instruction Fuzzy Hash: 0351FF10B1E6C94FD79AABB848746A67FE4DF4B219B0804FAE0DDC71E7DD482806C342

Function 00007FFD9B800AD3 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

9L_^, xrefs: 00007FFD9B800B01

Memory Dump Source

Source File: 00000008.00000002.2018730693.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b800000_system.jbxd

Similarity

API ID:
String ID: 9L_^
API String ID: 0-1679237627
Opcode ID: 895cd31d9ae1afafa3810a1e92fcbbf13b0718c29c499b5376b453ef3c8a485a
Instruction ID: d757abd3125b04d030739e1319e208b6c2556f79478ff13a888d99c838924224
Opcode Fuzzy Hash: 895cd31d9ae1afafa3810a1e92fcbbf13b0718c29c499b5376b453ef3c8a485a
Instruction Fuzzy Hash: 9F61882AF0895E4AE745FBBCA4669FC37A1EFC832AB1541B6C05DC72D7CD28604683C0

Function 00007FFD9B800E8E Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

4L_^, xrefs: 00007FFD9B801001

Memory Dump Source

Source File: 00000008.00000002.2018730693.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b800000_system.jbxd

Similarity

API ID:
String ID: 4L_^
API String ID: 0-2524838182
Opcode ID: 968d777af3c01ecc5d27fbdf26864685df8c458d76638554313e22dbcb3bc46d
Instruction ID: 7548338eb8deb68437787a2a5b6868cd049baa24d46e4d41d85be98bad8c8813
Opcode Fuzzy Hash: 968d777af3c01ecc5d27fbdf26864685df8c458d76638554313e22dbcb3bc46d
Instruction Fuzzy Hash: CE513A21B1D68A0FE396AB7858669F93BE1DF8A26470940FBE08DC71E7DC1C5C428352

Function 00007FFD9B801208 Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2018730693.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b800000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b590cb85abd8ec4af2b351b498b724fcd34e9edc4504091b8938a6c05731d626
Instruction ID: cf34fada297c1f6e084f1ff73478d6a0dd0e43fa5cd86737e67e3df1921b7021
Opcode Fuzzy Hash: b590cb85abd8ec4af2b351b498b724fcd34e9edc4504091b8938a6c05731d626
Instruction Fuzzy Hash: 69410627E0D2D64BD702F7BC64764E97F70EF8226971A41F7D0D98A0E7DC19244A8394

Function 00007FFD9B801220 Relevance: .5, Instructions: 527COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2018730693.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b800000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce9acfdf60e1be4fa13f41e40a3799c91b2ab9881b8df7560a87b5d8a073e009
Instruction ID: 40da0eaffe3b8508a86d5adfb9710cdc79a207d333ed00b4ca1e4bde06282705
Opcode Fuzzy Hash: ce9acfdf60e1be4fa13f41e40a3799c91b2ab9881b8df7560a87b5d8a073e009
Instruction Fuzzy Hash: BC41D527E0D2D64BD702F7BCA8764ED7F70EF8226971A41F7D0D98A0A7DC1924468394

Function 00007FFD9B800985 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2018730693.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b800000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47e5cab8b309fae83b86af784b4c05f588e4b2d9a02ed8987b8bdb20738a1ba1
Instruction ID: 1be62094253dd6dc0fa1564dc7772337ab0baf14b13d6e603201b164ceaa9b28
Opcode Fuzzy Hash: 47e5cab8b309fae83b86af784b4c05f588e4b2d9a02ed8987b8bdb20738a1ba1
Instruction Fuzzy Hash: FCA1962BB0895A4AD705BBBCB8665EC3B60EFC6366B1541B7C089CB1D7CD24608AC7C1

Function 00007FFD9B8009D3 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2018730693.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b800000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5717f2d1e5543fbcc6128ed3b89ad4ade7e823a761209c8fd1ce99591efa17f
Instruction ID: b05d4c66f7112d37ddcec89a97b3af885a2d5589fe974e7138d6680874481550
Opcode Fuzzy Hash: f5717f2d1e5543fbcc6128ed3b89ad4ade7e823a761209c8fd1ce99591efa17f
Instruction Fuzzy Hash: 4091852BB0895A4AD704BBBCB8665FC3BA0EFC5366B1581B7C189CA1D7CD246087C7C0

Function 00007FFD9B800A08 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2018730693.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b800000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dc4a088a3d772dc705c29ac96a2f33e2504fdd02f9a3e2c64ce9fcc9314014a
Instruction ID: ff7136e421d41a5044d6cd19d706d04cc94ffe17f9fbcd4c9eff82c072fbb85c
Opcode Fuzzy Hash: 4dc4a088a3d772dc705c29ac96a2f33e2504fdd02f9a3e2c64ce9fcc9314014a
Instruction Fuzzy Hash: 1181942BB0895A4AD705BBBCB8665FD3BA1EFC9366B1581B7C049CB1D7CD246086C7C0

Function 00007FFD9B800A10 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2018730693.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b800000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8062941ea2402c02d099bd17ca019f7d1e424d930930bc2b00c8c0b400b939b
Instruction ID: 5ad99f5be4a4c5eb56f2da1b34b99e58b1c4c6eefa2d94c73715ff10aac0e825
Opcode Fuzzy Hash: b8062941ea2402c02d099bd17ca019f7d1e424d930930bc2b00c8c0b400b939b
Instruction Fuzzy Hash: 4681642BB0895A4AD704BBBCB8665FD3BA1EFC536AB1585B7C049CB1D7CD246086C7C0

Function 00007FFD9B800A48 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2018730693.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b800000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31beea314757e45451ccf79205642ddb77496048f1abb2695880e6beccee735f
Instruction ID: fb5bff2c1ad78118686842c421c5a5b7569fcddc4b595df66b24d53174014a3b
Opcode Fuzzy Hash: 31beea314757e45451ccf79205642ddb77496048f1abb2695880e6beccee735f
Instruction Fuzzy Hash: 1C71843BB0895A4AD705BBBCF8665EC3BA1EFC9326B1541B6C049C71E7CE246086C7C0

Function 00007FFD9B800620 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2018730693.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b800000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 414158a09ae123d7dae41851e11cb6f8f62b42e6049513b4942e69fff0fb28fc
Instruction ID: 04de491fc1e495245cbb4c610f21e0e1925bb4e10c9c72bf6734430af8498b36
Opcode Fuzzy Hash: 414158a09ae123d7dae41851e11cb6f8f62b42e6049513b4942e69fff0fb28fc
Instruction Fuzzy Hash: F631C521B1D94D0FE798EF6C84696B9B2C2EF9C345F0505BAE04EC32E7DD64AC418341

Function 00007FFD9B800D21 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2018730693.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b800000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 222fc844fb972c55ec90792a62d73f1167f2f20b110b087fdf7a94ba9dca37e5
Instruction ID: 748e2f8968328c82e0d93447681f3bcc895c09496a3811b4704e9eb30aba6687
Opcode Fuzzy Hash: 222fc844fb972c55ec90792a62d73f1167f2f20b110b087fdf7a94ba9dca37e5
Instruction Fuzzy Hash: 5531E611F1894D0FEB44BBAC586A7BD76D1EF98751F0142BAE40DC32D7DD1868418392

Function 00007FFD9B800BD3 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2018730693.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b800000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 286b7cfa8f6a30819b5ba50c735b4b61b4a23b4dab6e0f1bd556a7f5204589e4
Instruction ID: 346584d72b9b10456ff348c7eb00a7a23b0fe2c659b02cb189513b7b300a39fb
Opcode Fuzzy Hash: 286b7cfa8f6a30819b5ba50c735b4b61b4a23b4dab6e0f1bd556a7f5204589e4
Instruction Fuzzy Hash: 2741D234B19A4E4FDB88EBB8D4A5AED7BB2FF88304F5104B5D059D32D6CD2869018751

Function 00007FFD9B800847 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2018730693.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b800000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3968e9f0c369ac2762575557c2b24dfe7d623f1d432d12adea472632d49aa66
Instruction ID: 093e6aa105fa3af293389d723fefe5acfe337af00b3dfce42b0efa1424d8ef6e
Opcode Fuzzy Hash: b3968e9f0c369ac2762575557c2b24dfe7d623f1d432d12adea472632d49aa66
Instruction Fuzzy Hash: 9C31F03AB5894D5BD7C8EF68A4E18EDBBA2FFC8304B9144B5D409C339ACD3465028B40

Function 00007FFD9B800865 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2018730693.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b800000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14cc828b85bd46fa110fb6c4c522fd3c320aff31a9a51ad2021f31e4288d386
Instruction ID: 44773a7357f62e8b24d1e5554a083250bea4c08d36b12c6c8194c0ea05505a72
Opcode Fuzzy Hash: b14cc828b85bd46fa110fb6c4c522fd3c320aff31a9a51ad2021f31e4288d386
Instruction Fuzzy Hash: F0318F35A59A8D5FD7C9EF2894E58E8BFA2FF88304B8148E5D449C33DBDD3869018B41

Function 00007FFD9B800870 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2018730693.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b800000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e4fc2a05b2044bcbb0697dbfdc93fae3d5c8f167c2fc8daee37b45c4faed1d9
Instruction ID: 8587b9b53e926751be263b5e4ca5b7ae04ba4b9c0335cbeab2a7ef7c3ea19b88
Opcode Fuzzy Hash: 7e4fc2a05b2044bcbb0697dbfdc93fae3d5c8f167c2fc8daee37b45c4faed1d9
Instruction Fuzzy Hash: 1F219F35A58A895FD7C9EF2894E58E8BFB2BF88304B9148E5D409C33DBCD3869018B41

Function 00007FFD9B8022B1 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2018730693.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b800000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef07a30c559b67a7585bcc911b4e84ffe04e8911a2abf7b794ac297b8745bdb0
Instruction ID: 7d87a10a38f52861a7536d75f9ff50ec54755df90d5c39cf6df57b693f2733e1
Opcode Fuzzy Hash: ef07a30c559b67a7585bcc911b4e84ffe04e8911a2abf7b794ac297b8745bdb0
Instruction Fuzzy Hash: 49017B10A0DA890FE796AB7828608B57FE0DF9635470901F7E8C9C61E7D8045A4183A2

Analysis Process: system.exePID: 4340, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B7F1038 Relevance: .8, Instructions: 758COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2370093045.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b7f0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43d97ebbb239a498e470d0fea15b80f5272d93fb3dab4dc345e8ea7a415d7784
Instruction ID: 10112061344d7c33c2dd1f4a738f5ea8b66a8a967f3dcac37c3d0c3deb7af9b8
Opcode Fuzzy Hash: 43d97ebbb239a498e470d0fea15b80f5272d93fb3dab4dc345e8ea7a415d7784
Instruction Fuzzy Hash: F2A1E52BF0D1A94AD715B7BCB4658ED7F20DF8233AB1A82F7D09D8E0E79C08244586D5

Function 00007FFD9B7F1719 Relevance: .7, Instructions: 691COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2370093045.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b7f0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 503066e33768d7da31d53d5af834553b91622c21e22d5d16cea1eb0cfb949e69
Instruction ID: 8fdec2f607b25bb1a55995d8e42d53832a66b9d62ddd0e9ea97f42eed02db77f
Opcode Fuzzy Hash: 503066e33768d7da31d53d5af834553b91622c21e22d5d16cea1eb0cfb949e69
Instruction Fuzzy Hash: 8022B861B19A4D4FE7A8EB788479ABDB7D2FF98300F4505B9E44DC32E6DD2868018781

Function 00007FFD9B7F20ED Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2370093045.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b7f0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6ac9c7523d099ee2477d962b22aa0ed0061c1b450009572b0eedbda29a42744
Instruction ID: 2d4193e935cb9d9536b19d3afcf312a1d041ee8c08d6b066168501b50abccc97
Opcode Fuzzy Hash: d6ac9c7523d099ee2477d962b22aa0ed0061c1b450009572b0eedbda29a42744
Instruction Fuzzy Hash: C2510F10B1E6C94FD796ABB848746B57FE4DF47219B0801FAE09DC71E7DD181806C38A

Function 00007FFD9B7F0AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

9M_^, xrefs: 00007FFD9B7F0B01

Memory Dump Source

Source File: 00000009.00000002.2370093045.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b7f0000_system.jbxd

Similarity

API ID:
String ID: 9M_^
API String ID: 0-1708477388
Opcode ID: 25d004aced4a16458c7cb2265abf69155b32637878a6ef1bf2b528089f7cd28b
Instruction ID: 8a182bef8674ee16bc42c941e52e2ef0039faf023eb88c9b536431b6326505c0
Opcode Fuzzy Hash: 25d004aced4a16458c7cb2265abf69155b32637878a6ef1bf2b528089f7cd28b
Instruction Fuzzy Hash: B761372AF0965E8AD704BBBCA4259EC7BB1EFC432AB1543B6D01DC72D7CD28644287D4

Function 00007FFD9B7F0E8E Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

4M_^, xrefs: 00007FFD9B7F1001

Memory Dump Source

Source File: 00000009.00000002.2370093045.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b7f0000_system.jbxd

Similarity

API ID:
String ID: 4M_^
API String ID: 0-2545914641
Opcode ID: e3ced553f145b41a8b506c49ab27cf3211285dd1f1434181a2d93d8320fe0b07
Instruction ID: 4eef8f704a385f842747c97903b9ab56c53af940c1519db786d55757ea182942
Opcode Fuzzy Hash: e3ced553f145b41a8b506c49ab27cf3211285dd1f1434181a2d93d8320fe0b07
Instruction Fuzzy Hash: 67513A21B0E6CA0FE356AB7898659B97FE1DF86224B0941FBD08DC72E7DC1C5C428352

Function 00007FFD9B7F1208 Relevance: .5, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2370093045.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b7f0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6cca331bf47bc313ac15803eb9a5d7a15ebda4bd840d6d83e79f87d52d73111
Instruction ID: 41aaa77e9ec58c9798a8906507cff6615b79a07464bf39fcbb228912a7808352
Opcode Fuzzy Hash: d6cca331bf47bc313ac15803eb9a5d7a15ebda4bd840d6d83e79f87d52d73111
Instruction Fuzzy Hash: C341A427E0E2E94BD711F7BCA4754EE7F70DF82229B1A42F7D0D98A0A3DC1924458794

Function 00007FFD9B7F1220 Relevance: .5, Instructions: 530COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2370093045.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b7f0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95acbb8fc3648649a088dd9f48ee30d1deefd7643cb75b18789a14f606074ba5
Instruction ID: 4e8c9252a406e1f7d113d6d78f4530e773ecac3cae32561a8bd20e3285bfee1c
Opcode Fuzzy Hash: 95acbb8fc3648649a088dd9f48ee30d1deefd7643cb75b18789a14f606074ba5
Instruction Fuzzy Hash: AB41B427E0E2D94AD711F7B8A8754ED7F70EF82229B1A42F7D0D98A0A3DC1924458694

Function 00007FFD9B7F0985 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2370093045.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b7f0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f0e2f6beb5b893529956a73961212156675b42dc86ccc398f0cf214a9a4d2e
Instruction ID: cf8c91de16e2bfb9ed4332d63da912fe056dc1f5b0af3ced747136d00f9727ae
Opcode Fuzzy Hash: 08f0e2f6beb5b893529956a73961212156675b42dc86ccc398f0cf214a9a4d2e
Instruction Fuzzy Hash: 81A1232BB096AE8AD704BB7CB8659ED7B60EFC5336B1543F7C149CA187CD24604687C0

Function 00007FFD9B7F09D3 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2370093045.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b7f0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 994f5ee557c8b8899733a4c65cdb1025d19d3631ca5598119d706e22e5b19ba8
Instruction ID: 109cdb462ad1b3987d4b2146b2a3b6190d691e32ee2dd11dc61fcad2e42478f6
Opcode Fuzzy Hash: 994f5ee557c8b8899733a4c65cdb1025d19d3631ca5598119d706e22e5b19ba8
Instruction Fuzzy Hash: 1F91472BB0996E8AD704BB7CB8159EC7BA0EFC5336B1583B7D149CA2D7CD24604687C0

Function 00007FFD9B7F0A08 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2370093045.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b7f0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fbbcf18faca20db6fd287d9799155db33c91a72318abfcbe7d8b9eafc99cfd1
Instruction ID: a18c224aadb46e34e96ff4d8083f5535fc755d2ab82943893b9083157285ef5b
Opcode Fuzzy Hash: 4fbbcf18faca20db6fd287d9799155db33c91a72318abfcbe7d8b9eafc99cfd1
Instruction Fuzzy Hash: DB81272BB0996E8AD704BB7CB8259ED7BA0EFC5336B1583B7D149CA1D7CD24604687C0

Function 00007FFD9B7F0A10 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2370093045.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b7f0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a86b12e9e527acc8882c4c434466100ba2b9a339b42e4893518fb808b960f18
Instruction ID: bcfa8f0b291fb2077d96aaede2c15f8aea396942a72f412018f0e60bc183c93a
Opcode Fuzzy Hash: 8a86b12e9e527acc8882c4c434466100ba2b9a339b42e4893518fb808b960f18
Instruction Fuzzy Hash: ED81272BB0996E8AD704BB7CB8259ED7B60EFC5336B1583B7D149C61C7CD24604687C0

Function 00007FFD9B7F0A48 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2370093045.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b7f0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bf5ab18e0f55515d11261e3f51d63153cfa4f8c2232645881cddc6009b92014
Instruction ID: 9b497feca365a8f68e6df8089e933654afb569a8c9e82ea818f8b8ba77f2f2f0
Opcode Fuzzy Hash: 6bf5ab18e0f55515d11261e3f51d63153cfa4f8c2232645881cddc6009b92014
Instruction Fuzzy Hash: 4971232BB0996E8AD704BB7CA8699ED7BA0EFC5326B1542B7D149C72C7CD246046C7C0

Function 00007FFD9B7F0620 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2370093045.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b7f0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57b3dc5c27d340ee705f6e5706a9a0febb97d637de410b00dc12ad91a64ccf70
Instruction ID: dfdb097230940be64f61a71f7be49a5f8360b2dfa5a5322cf041dd1a8a8e3b36
Opcode Fuzzy Hash: 57b3dc5c27d340ee705f6e5706a9a0febb97d637de410b00dc12ad91a64ccf70
Instruction Fuzzy Hash: E731D621B1D94D0FE798EE6C8469679B6C2EF98305F4505BEF00EC32E7DD249C018385

Function 00007FFD9B7F0D21 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2370093045.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b7f0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283d2448b20afa5705cdd14f27053b4582279bcc6613c9dfd1ab0ba6995062b1
Instruction ID: 79087aa8691db41312c3cc7bbd2a6e7e40b1d1500e56b56abfc87498f38296ad
Opcode Fuzzy Hash: 283d2448b20afa5705cdd14f27053b4582279bcc6613c9dfd1ab0ba6995062b1
Instruction Fuzzy Hash: 4B31E821F1894A0FEB48BFAC58697BD76D1EF98715F0142BAE01DC32D6DE2868414392

Function 00007FFD9B7F0BD3 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2370093045.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b7f0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ada19e4de3cfba0ecb3b814e14794242ab8e21e0ad7af4d8ae88c3c44debcbe
Instruction ID: 84bad3972eab913136f9b41cb528a8d7fbed879fc1bed9465b85b8785623c5bf
Opcode Fuzzy Hash: 2ada19e4de3cfba0ecb3b814e14794242ab8e21e0ad7af4d8ae88c3c44debcbe
Instruction Fuzzy Hash: 5741D334B19A4E8FDB44EB788865AEDBBB1FF88301F4506B9D009D33D6CD296801C781

Function 00007FFD9B7F0847 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2370093045.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b7f0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4a2914f4c53a3714a82c9523eda3d6abbfdeb6c5364386b9de351b5361c9e37
Instruction ID: 39a47b80823cc82b5fdfd800d7b787e5a05c30da0ba4b0f669a1bcc0b3f18c17
Opcode Fuzzy Hash: c4a2914f4c53a3714a82c9523eda3d6abbfdeb6c5364386b9de351b5361c9e37
Instruction Fuzzy Hash: 1D31C039B54A4D4BD748EB68A0A5DEDBBB1FFC4304F8145B8D559C339ACE2869018F50

Function 00007FFD9B7F0865 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2370093045.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b7f0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ae72be8bb4a85a72f854f7bdd15d8dd5fc8c21f625a916e930fe5f7dd140545
Instruction ID: df6fd8c90f381bf307b2c0de74458b0d7091202448586fac35d8f312920fb91b
Opcode Fuzzy Hash: 4ae72be8bb4a85a72f854f7bdd15d8dd5fc8c21f625a916e930fe5f7dd140545
Instruction Fuzzy Hash: 8E319C39759A8D4FD345EB28A4A9CACBFB1EF84300F8548E9D948C33DAC92869018B51

Function 00007FFD9B7F0870 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2370093045.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b7f0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c56ea60f80765b384090e207854cbb838e97c74ad48ad16c3bd76505936a1fbf
Instruction ID: 042a51c7fa489bf1b5b5e649f8160657dbf1a0b5ccdda65e253b2160655b9aa0
Opcode Fuzzy Hash: c56ea60f80765b384090e207854cbb838e97c74ad48ad16c3bd76505936a1fbf
Instruction Fuzzy Hash: 8121A039758A8D4FD344EB28A4A8CECBFB1EFC4300F8548E9D948C33DACD2859018B41

Function 00007FFD9B7F22B1 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2370093045.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd9b7f0000_system.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbceb12320cb3ca5ef83a3da6dd589cde7d2acd514df570c91cffcd666bdfdca
Instruction ID: 717fb0fb4ee3838c817116057325523d9b07735fb34d792d55f74283be43b80a
Opcode Fuzzy Hash: dbceb12320cb3ca5ef83a3da6dd589cde7d2acd514df570c91cffcd666bdfdca
Instruction Fuzzy Hash: 49017B50B0DB980FE751AA3858658757FE0CF81310B0902BBF888C61F7DC045B41C3D2

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report W1FREE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\system.exe.log

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk

C:\Users\user\AppData\Roaming\system.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
W1FREE.exe

Function 00007FFD9B7F0860 Relevance: 2.0, Strings: 1, Instructions: 734
COMMON

Function 00007FFD9B7F1719 Relevance: 1.9, Strings: 1, Instructions: 691
COMMON

Function 00007FFD9B7F7A71 Relevance: 1.6, APIs: 1, Instructions: 124
COMMON

Function 00007FFD9B7F60B6 Relevance: .5, Instructions: 471
COMMON

Function 00007FFD9B7F6E62 Relevance: .5, Instructions: 456
COMMON

Function 00007FFD9B7F2381 Relevance: .4, Instructions: 392
COMMON

Function 00007FFD9B7F95DD Relevance: 1.7, APIs: 1, Instructions: 167
COMMON

Function 00007FFD9B7F9B58 Relevance: 1.6, APIs: 1, Instructions: 137
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre