Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
windxcmd.exe

Overview

General Information

Sample name:windxcmd.exe
Analysis ID:1562137
MD5:65f2df92724e59cabe9cc5f12768ad93
SHA1:6f21c66f2c529d37b046f53b04e3fd3baf91b13b
SHA256:bd5f54fa6a6b85d25c93c790c1b63f28f557cb7d9c1a79cbe702df30f6d0cc07
Tags:exemalwaretrojanuser-Joker
Infos:

Detection

AsyncRAT, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AsyncRAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • windxcmd.exe (PID: 7404 cmdline: "C:\Users\user\Desktop\windxcmd.exe" MD5: 65F2DF92724E59CABE9CC5F12768AD93)
    • svchost.exe (PID: 7456 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: FBC06EB9F872988CF94EC59C859FACD7)
      • schtasks.exe (PID: 7704 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • wind.exe (PID: 7480 cmdline: "C:\Users\user\AppData\Roaming\wind.exe" MD5: A43BF335D87DF0128E7DA328C6A447B7)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["45.141.26.134"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "usb.exe"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\svchost.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    C:\Users\user\AppData\Roaming\svchost.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Roaming\svchost.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        C:\Users\user\AppData\Roaming\svchost.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x7d5a:$s6: VirtualBox
        • 0x7cb8:$s8: Win32_ComputerSystem
        • 0x8740:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x87dd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x88f2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x83b8:$cnc4: POST / HTTP/1.1

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000001.00000000.1841139413.0000000000302000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          00000000.00000002.1845441721.0000000003541000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            00000000.00000002.1845441721.0000000003541000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000000.00000002.1845441721.0000000003541000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x20022:$s6: VirtualBox
              • 0x29e62:$s6: VirtualBox
              • 0x1ff80:$s8: Win32_ComputerSystem
              • 0x29dc0:$s8: Win32_ComputerSystem
              • 0x20a08:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x2a848:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x20aa5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x2a8e5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x20bba:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x2a9fa:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x20680:$cnc4: POST / HTTP/1.1
              • 0x2a4c0:$cnc4: POST / HTTP/1.1
              00000001.00000000.1841139413.0000000000302000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                Click to see the 6 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.windxcmd.exe.35592c8.1.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                  0.2.windxcmd.exe.35592c8.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
                    0.2.windxcmd.exe.35592c8.1.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0x5f5a:$s6: VirtualBox
                    • 0x5eb8:$s8: Win32_ComputerSystem
                    • 0x6940:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0x69dd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x6af2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0x65b8:$cnc4: POST / HTTP/1.1
                    1.0.svchost.exe.300000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                      1.0.svchost.exe.300000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                        Click to see the 13 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Files With System Process Name In Unsuspected Locations
                        Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\windxcmd.exe, ProcessId: 7404, TargetFilename: C:\Users\user\AppData\Roaming\svchost.exe
                        Sigma detected: System File Execution Location Anomaly
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\windxcmd.exe", ParentImage: C:\Users\user\Desktop\windxcmd.exe, ParentProcessId: 7404, ParentProcessName: windxcmd.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 7456, ProcessName: svchost.exe
                        Sigma detected: Suspicious Add Scheduled Task Parent
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 7456, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", ProcessId: 7704, ProcessName: schtasks.exe
                        Sigma detected: Suspicious Schtasks From Env Var Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 7456, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", ProcessId: 7704, ProcessName: schtasks.exe
                        Sigma detected: Uncommon Svchost Parent Process
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\windxcmd.exe", ParentImage: C:\Users\user\Desktop\windxcmd.exe, ParentProcessId: 7404, ParentProcessName: windxcmd.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 7456, ProcessName: svchost.exe
                        Sigma detected: Windows Processes Suspicious Parent Directory
                        Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\windxcmd.exe", ParentImage: C:\Users\user\Desktop\windxcmd.exe, ParentProcessId: 7404, ParentProcessName: windxcmd.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 7456, ProcessName: svchost.exe

                        Persistence and Installation Behavior

                        barindex
                        Sigma detected: Schedule system process
                        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 7456, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", ProcessId: 7704, ProcessName: schtasks.exe

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-11-25T08:55:39.835907+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:55:53.369724+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:55:53.712594+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:56:07.602597+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:56:21.492991+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:56:23.378688+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:56:34.178782+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:56:39.806194+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:56:40.060140+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:56:40.353195+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:56:53.395155+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:56:53.729778+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:56:55.462497+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:57:01.101843+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:57:11.367860+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:57:16.240004+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:57:16.240251+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:57:16.696188+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:57:23.384551+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:57:23.899550+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:57:26.023750+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:57:33.753603+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:57:46.399910+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:57:53.040127+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:57:53.406222+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:58:06.929942+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:58:11.399731+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:58:11.653910+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:58:11.925757+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:58:23.432884+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:58:24.462311+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:58:26.902453+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:58:27.274986+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:58:33.181717+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:58:36.745355+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:58:37.196123+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:58:47.164750+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:58:52.150218+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:58:53.438566+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:58:54.492682+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:58:56.674939+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:58:57.852047+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:58:58.351879+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:58:58.608295+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:59:01.462519+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:59:08.579608+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:59:08.833416+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:59:11.633875+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:59:18.821312+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:59:20.104054+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:59:23.444705+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:59:23.745977+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:59:24.196844+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:59:27.770571+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-11-25T08:55:39.853925+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:55:53.721542+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:56:07.604708+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:56:21.494597+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:56:34.181270+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:56:39.819371+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:56:40.064715+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:56:40.355122+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:56:53.732407+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:56:55.463889+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:57:01.104528+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:57:11.369689+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:57:16.243183+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:57:16.697744+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:57:23.902579+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:57:26.025412+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:57:33.786962+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:57:46.405091+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:57:53.232690+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:58:06.931814+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:58:11.403104+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:58:11.690822+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:58:12.023345+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:58:24.464680+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:58:26.904844+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:58:27.276607+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:58:33.183692+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:58:36.747499+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:58:37.198005+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:58:47.168451+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:58:52.152210+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:58:54.494066+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:58:56.676874+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:58:58.353766+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:58:58.609837+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:59:01.464362+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:59:08.581856+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:59:08.838729+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:59:09.140205+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:59:11.635684+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:59:18.829686+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:59:20.107542+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:59:23.750177+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:59:24.199688+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        2024-11-25T08:59:27.771330+010028529231Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-11-25T08:55:53.369724+010028528741Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:56:23.378688+010028528741Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:56:53.395155+010028528741Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:57:23.384551+010028528741Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:57:53.406222+010028528741Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:58:23.432884+010028528741Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:58:53.438566+010028528741Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        2024-11-25T08:59:23.444705+010028528741Malware Command and Control Activity Detected45.141.26.1347000192.168.2.449734TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-11-25T08:57:33.167704+010028531931Malware Command and Control Activity Detected192.168.2.44973445.141.26.1347000TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: windxcmd.exeAvira: detected
                        Antivirus detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\svchost.exeAvira: detection malicious, Label: TR/Spy.Gen
                        Found malware configuration
                        Source: 00000000.00000002.1845441721.0000000003541000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["45.141.26.134"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "usb.exe"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\svchost.exeReversingLabs: Detection: 83%
                        Source: C:\Users\user\AppData\Roaming\wind.exeReversingLabs: Detection: 18%
                        Multi AV Scanner detection for submitted file
                        Source: windxcmd.exeReversingLabs: Detection: 68%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\wind.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Roaming\svchost.exeJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: windxcmd.exeJoe Sandbox ML: detected
                        Sample uses string decryption to hide its real strings
                        Source: 1.0.svchost.exe.300000.0.unpackString decryptor: 45.141.26.134
                        Source: 1.0.svchost.exe.300000.0.unpackString decryptor: 7000
                        Source: 1.0.svchost.exe.300000.0.unpackString decryptor: <123456789>
                        Source: 1.0.svchost.exe.300000.0.unpackString decryptor: <Xwormmm>
                        Source: 1.0.svchost.exe.300000.0.unpackString decryptor: V5.7
                        Source: 1.0.svchost.exe.300000.0.unpackString decryptor: usb.exe
                        Source: 1.0.svchost.exe.300000.0.unpackString decryptor: %AppData%
                        Source: 1.0.svchost.exe.300000.0.unpackString decryptor: svchost.exe
                        Source: windxcmd.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: windxcmd.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: D:\Source Code\Loaded GUI\Loaded GUI\obj\x64\Release\Loaded GUI.pdb source: wind.exe.0.dr

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49734 -> 45.141.26.134:7000
                        Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 45.141.26.134:7000 -> 192.168.2.4:49734
                        Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49734 -> 45.141.26.134:7000
                        Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 45.141.26.134:7000 -> 192.168.2.4:49734
                        Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49734 -> 45.141.26.134:7000
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 208.95.112.1 80Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 45.141.26.134 7000Jump to behavior
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: 45.141.26.134
                        Yara detected Generic Downloader
                        Source: Yara matchFile source: 1.0.svchost.exe.300000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.windxcmd.exe.3563108.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.windxcmd.exe.35592c8.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                        Source: global trafficTCP traffic: 192.168.2.4:49734 -> 45.141.26.134:7000
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                        Source: Joe Sandbox ViewASN Name: SPECTRAIPSpectraIPBVNL SPECTRAIPSpectraIPBVNL
                        Source: unknownDNS query: name: ip-api.com
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficDNS traffic detected: DNS query: ip-api.com
                        Source: windxcmd.exe, 00000000.00000002.1845441721.0000000003541000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000000.1841139413.0000000000302000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 00000001.00000002.4308288597.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                        Source: svchost.exe, 00000001.00000002.4308288597.00000000027A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                        Source: wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                        Source: wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                        Source: wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                        Source: wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                        Source: wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                        Source: wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                        Source: wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                        Source: wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                        Source: wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                        Source: wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                        Source: wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                        Source: wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                        Source: wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                        Source: wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                        Source: wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                        Source: wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                        Source: wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                        Source: wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                        Source: wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                        Source: wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                        Source: wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                        Source: wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                        Source: wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                        Source: wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                        Source: wind.exe.0.drString found in binary or memory: https://discord.gg/arzenshop%click
                        Source: wind.exe.0.drString found in binary or memory: https://github.com/stark11231/spoof/raw/main/WindXTen.exeAC:

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Yara detected AsyncRAT
                        Source: Yara matchFile source: 0.2.windxcmd.exe.35592c8.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.svchost.exe.300000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.windxcmd.exe.3563108.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.windxcmd.exe.3563108.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.windxcmd.exe.35592c8.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000000.1841139413.0000000000302000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1845441721.0000000003541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: windxcmd.exe PID: 7404, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7456, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                        Contains functionality to log keystrokes (.Net Source)
                        Source: svchost.exe.0.dr, XLogger.cs.Net Code: KeyboardLayout
                        Source: 0.2.windxcmd.exe.35592c8.1.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
                        Source: 0.2.windxcmd.exe.3563108.2.raw.unpack, XLogger.cs.Net Code: KeyboardLayout

                        Operating System Destruction

                        barindex
                        Protects its processes via BreakOnTermination flag
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: 01 00 00 00 Jump to behavior

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 0.2.windxcmd.exe.35592c8.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 1.0.svchost.exe.300000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0.2.windxcmd.exe.3563108.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0.2.windxcmd.exe.3563108.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0.2.windxcmd.exe.35592c8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000000.00000002.1845441721.0000000003541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000001.00000000.1841139413.0000000000302000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                        .NET source code contains very large strings
                        Source: wind.exe.0.dr, Form1.csLong String: Length: 181092
                        Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 1_2_00007FFD9B60C7941_2_00007FFD9B60C794
                        Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 1_2_00007FFD9B6057761_2_00007FFD9B605776
                        Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 1_2_00007FFD9B6016311_2_00007FFD9B601631
                        Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 1_2_00007FFD9B6065221_2_00007FFD9B606522
                        Source: wind.exe.0.drStatic PE information: No import functions for PE file found
                        Source: windxcmd.exe, 00000000.00000002.1845441721.0000000003541000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesvchost.exe4 vs windxcmd.exe
                        Source: windxcmd.exe, 00000000.00000000.1834885594.0000000001264000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOutput.exe4 vs windxcmd.exe
                        Source: windxcmd.exeBinary or memory string: OriginalFilenameOutput.exe4 vs windxcmd.exe
                        Source: windxcmd.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 0.2.windxcmd.exe.35592c8.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 1.0.svchost.exe.300000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0.2.windxcmd.exe.3563108.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0.2.windxcmd.exe.3563108.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0.2.windxcmd.exe.35592c8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000000.00000002.1845441721.0000000003541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000001.00000000.1841139413.0000000000302000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: svchost.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                        Source: svchost.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                        Source: svchost.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.windxcmd.exe.35592c8.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.windxcmd.exe.35592c8.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.windxcmd.exe.35592c8.1.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.windxcmd.exe.3563108.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.windxcmd.exe.3563108.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.windxcmd.exe.3563108.2.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.windxcmd.exe.35592c8.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: 0.2.windxcmd.exe.35592c8.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.windxcmd.exe.3563108.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: 0.2.windxcmd.exe.3563108.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: svchost.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: svchost.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/3@1/2
                        Source: C:\Users\user\Desktop\windxcmd.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
                        Source: C:\Users\user\AppData\Roaming\wind.exeMutant created: NULL
                        Source: C:\Users\user\AppData\Roaming\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\dSzDnC4txCD67cS4
                        Source: C:\Users\user\Desktop\windxcmd.exeMutant created: \Sessions\1\BaseNamedObjects\QGtTRkW66iSdF8Ey7
                        Source: windxcmd.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: windxcmd.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        Source: C:\Users\user\Desktop\windxcmd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: windxcmd.exeReversingLabs: Detection: 68%
                        Source: unknownProcess created: C:\Users\user\Desktop\windxcmd.exe "C:\Users\user\Desktop\windxcmd.exe"
                        Source: C:\Users\user\Desktop\windxcmd.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                        Source: C:\Users\user\Desktop\windxcmd.exeProcess created: C:\Users\user\AppData\Roaming\wind.exe "C:\Users\user\AppData\Roaming\wind.exe"
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"
                        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\windxcmd.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeProcess created: C:\Users\user\AppData\Roaming\wind.exe "C:\Users\user\AppData\Roaming\wind.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: avicap32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: msvfw32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeSection loaded: textinputframework.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeSection loaded: coreuicomponents.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Users\user\Desktop\windxcmd.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                        Source: windxcmd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: windxcmd.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                        Source: windxcmd.exeStatic file information: File size 3542528 > 1048576
                        Source: windxcmd.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x360400
                        Source: windxcmd.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: D:\Source Code\Loaded GUI\Loaded GUI\obj\x64\Release\Loaded GUI.pdb source: wind.exe.0.dr

                        Data Obfuscation

                        barindex
                        .NET source code contains method to dynamically call methods (often used by packers)
                        Source: svchost.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: svchost.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.2.windxcmd.exe.35592c8.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.2.windxcmd.exe.35592c8.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.2.windxcmd.exe.3563108.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.2.windxcmd.exe.3563108.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        .NET source code contains potential unpacker
                        Source: svchost.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                        Source: svchost.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                        Source: svchost.exe.0.dr, Messages.cs.Net Code: Memory
                        Source: 0.2.windxcmd.exe.35592c8.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                        Source: 0.2.windxcmd.exe.35592c8.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                        Source: 0.2.windxcmd.exe.35592c8.1.raw.unpack, Messages.cs.Net Code: Memory
                        Source: 0.2.windxcmd.exe.3563108.2.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                        Source: 0.2.windxcmd.exe.3563108.2.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                        Source: 0.2.windxcmd.exe.3563108.2.raw.unpack, Messages.cs.Net Code: Memory
                        Source: wind.exe.0.drStatic PE information: 0xE220BB2A [Tue Mar 21 16:11:22 2090 UTC]
                        Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 1_2_00007FFD9B608050 pushad ; ret 1_2_00007FFD9B60809D
                        Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 1_2_00007FFD9B60809E push eax; ret 1_2_00007FFD9B6080AD

                        Persistence and Installation Behavior

                        barindex
                        Drops PE files with benign system names
                        Source: C:\Users\user\Desktop\windxcmd.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
                        Source: C:\Users\user\Desktop\windxcmd.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
                        Source: C:\Users\user\Desktop\windxcmd.exeFile created: C:\Users\user\AppData\Roaming\wind.exeJump to dropped file

                        Boot Survival

                        barindex
                        Yara detected AsyncRAT
                        Source: Yara matchFile source: 0.2.windxcmd.exe.35592c8.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.svchost.exe.300000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.windxcmd.exe.3563108.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.windxcmd.exe.3563108.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.windxcmd.exe.35592c8.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000000.1841139413.0000000000302000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1845441721.0000000003541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: windxcmd.exe PID: 7404, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7456, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                        Uses schtasks.exe or at.exe to add and modify task schedules
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"
                        Source: C:\Users\user\Desktop\windxcmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Yara detected AsyncRAT
                        Source: Yara matchFile source: 0.2.windxcmd.exe.35592c8.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.svchost.exe.300000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.windxcmd.exe.3563108.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.windxcmd.exe.3563108.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.windxcmd.exe.35592c8.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000000.1841139413.0000000000302000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1845441721.0000000003541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: windxcmd.exe PID: 7404, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7456, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                        Check if machine is in data center or colocation facility
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: svchost.exe, 00000001.00000002.4308288597.00000000027A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                        Source: windxcmd.exe, 00000000.00000002.1845441721.0000000003541000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000000.1841139413.0000000000302000.00000002.00000001.01000000.00000006.sdmp, svchost.exe.0.drBinary or memory string: SBIEDLL.DLLINFO
                        Source: C:\Users\user\Desktop\windxcmd.exeMemory allocated: 3350000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeMemory allocated: 1B540000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: B20000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1A7A0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeMemory allocated: 1CD8D130000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeMemory allocated: 1CDA6CB0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeWindow / User API: threadDelayed 8259Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeWindow / User API: threadDelayed 1595Jump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exe TID: 7428Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 7776Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: svchost.exe, 00000001.00000002.4316290728.000000001C804000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: svchost.exe.0.drBinary or memory string: vmware
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information queried: ProcessInformationJump to behavior

                        Anti Debugging

                        barindex
                        Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                        Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 1_2_00007FFD9B606D21 CheckRemoteDebuggerPresent,1_2_00007FFD9B606D21
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 208.95.112.1 80Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 45.141.26.134 7000Jump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeProcess created: C:\Users\user\AppData\Roaming\wind.exe "C:\Users\user\AppData\Roaming\wind.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeQueries volume information: C:\Users\user\Desktop\windxcmd.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Users\user\AppData\Roaming\wind.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wind.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\windxcmd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Lowering of HIPS / PFW / Operating System Security Settings

                        barindex
                        Yara detected AsyncRAT
                        Source: Yara matchFile source: 0.2.windxcmd.exe.35592c8.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.svchost.exe.300000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.windxcmd.exe.3563108.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.windxcmd.exe.3563108.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.windxcmd.exe.35592c8.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000000.1841139413.0000000000302000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1845441721.0000000003541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: windxcmd.exe PID: 7404, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7456, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                        Source: svchost.exe, 00000001.00000002.4317069119.000000001C897000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected XWorm
                        Source: Yara matchFile source: 0.2.windxcmd.exe.35592c8.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.svchost.exe.300000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.windxcmd.exe.3563108.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.windxcmd.exe.3563108.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.windxcmd.exe.35592c8.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1845441721.0000000003541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000000.1841139413.0000000000302000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.4308288597.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: windxcmd.exe PID: 7404, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7456, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

                        Remote Access Functionality

                        barindex
                        Yara detected XWorm
                        Source: Yara matchFile source: 0.2.windxcmd.exe.35592c8.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.svchost.exe.300000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.windxcmd.exe.3563108.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.windxcmd.exe.3563108.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.windxcmd.exe.35592c8.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1845441721.0000000003541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000000.1841139413.0000000000302000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.4308288597.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: windxcmd.exe PID: 7404, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7456, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                        Windows Management Instrumentation                        		2
                        Scheduled Task/Job                        		111
                        Process Injection                        		11
                        Masquerading                        		1
                        Input Capture                        		541
                        Security Software Discovery                        		Remote Services1
                        Input Capture                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts2
                        Scheduled Task/Job                        		1
                        DLL Side-Loading                        		2
                        Scheduled Task/Job                        		1
                        Disable or Modify Tools                        		LSASS Memory1
                        Process Discovery                        		Remote Desktop Protocol11
                        Archive Collected Data                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                        DLL Side-Loading                        		151
                        Virtualization/Sandbox Evasion                        		Security Account Manager151
                        Virtualization/Sandbox Evasion                        		SMB/Windows Admin SharesData from Network Shared Drive1
                        Ingress Tool Transfer                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                        Process Injection                        		NTDS1
                        Application Window Discovery                        		Distributed Component Object ModelInput Capture2
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Deobfuscate/Decode Files or Information                        		LSA Secrets1
                        System Network Configuration Discovery                        		SSHKeylogging12
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                        Obfuscated Files or Information                        		Cached Domain Credentials1
                        File and Directory Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                        Software Packing                        		DCSync23
                        System Information Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        Timestomp                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                        DLL Side-Loading                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        windxcmd.exe68%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                        windxcmd.exe100%AviraTR/Dropper.Gen
                        windxcmd.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Roaming\svchost.exe100%AviraTR/Spy.Gen
                        C:\Users\user\AppData\Roaming\wind.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Roaming\svchost.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Roaming\svchost.exe83%ReversingLabsByteCode-MSIL.Ransomware.CryptConsole
                        C:\Users\user\AppData\Roaming\wind.exe19%ReversingLabsWin64.Trojan.Generic

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        45.141.26.1340%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        ip-api.com
                        		208.95.112.1
                        		truefalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          45.141.26.134true
                          • Avira URL Cloud: safe
                          		unknown
                          http://ip-api.com/line/?fields=hostingfalse
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://www.apache.org/licenses/LICENSE-2.0wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.comwind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.com/designersGwind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designers/?wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/bThewind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.fontbureau.com/designers?wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.tiro.comwind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fontbureau.com/designerswind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.goodfont.co.krwind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.carterandcone.comlwind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.sajatypeworks.comwind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.typography.netDwind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.com/designers/cabarga.htmlNwind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.founder.com.cn/cn/cThewind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.galapagosdesign.com/staff/dennis.htmwind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.founder.com.cn/cnwind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.com/designers/frere-user.htmlwind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://discord.gg/arzenshop%clickwind.exe.0.drfalse
                                                                		high
                                                                http://www.jiyu-kobo.co.jp/wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.galapagosdesign.com/DPleasewind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.fontbureau.com/designers8wind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.fonts.comwind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.sandoll.co.krwind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.urwpp.deDPleasewind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://github.com/stark11231/spoof/raw/main/WindXTen.exeAC:wind.exe.0.drfalse
                                                                              		high
                                                                              http://www.zhongyicts.com.cnwind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namesvchost.exe, 00000001.00000002.4308288597.00000000027A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.sakkal.comwind.exe, 00000002.00000002.4327918871.000001CDA9792000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high

                                                                                    World Map of Contacted IPs

                                                                                    • No. of IPs < 25%
                                                                                    • 25% < No. of IPs < 50%
                                                                                    • 50% < No. of IPs < 75%
                                                                                    • 75% < No. of IPs

                                                                                    Public IPs

                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                    208.95.112.1
                                                                                    		ip-api.comUnited States
                                                                                    		53334TUT-ASUSfalse
                                                                                    45.141.26.134
                                                                                    		unknownNetherlands
                                                                                    		62068SPECTRAIPSpectraIPBVNLtrue

                                                                                    General Information

                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                    Analysis ID:1562137
                                                                                    Start date and time:2024-11-25 08:54:10 +01:00
                                                                                    Joe Sandbox product:CloudBasic
                                                                                    Overall analysis duration:0h 8m 20s
                                                                                    Hypervisor based Inspection enabled:false
                                                                                    Report type:full
                                                                                    Cookbook file name:default.jbs
                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                    Number of analysed new started processes analysed:15
                                                                                    Number of new started drivers analysed:0
                                                                                    Number of existing processes analysed:0
                                                                                    Number of existing drivers analysed:0
                                                                                    Number of injected processes analysed:0
                                                                                    Technologies:
                                                                                    • HCA enabled
                                                                                    • EGA enabled
                                                                                    • AMSI enabled
                                                                                    Analysis Mode:default
                                                                                    Analysis stop reason:Timeout
                                                                                    Sample name:windxcmd.exe
                                                                                    Detection:MAL
                                                                                    Classification:mal100.troj.spyw.evad.winEXE@8/3@1/2
                                                                                    EGA Information:
                                                                                    • Successful, ratio: 33.3%
                                                                                    HCA Information:
                                                                                    • Successful, ratio: 99%
                                                                                    • Number of executed functions: 25
                                                                                    • Number of non-executed functions: 0
                                                                                    Cookbook Comments:
                                                                                    • Found application associated with file extension: .exe
                                                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                    Warnings

                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                    • Execution Graph export aborted for target wind.exe, PID 7480 because it is empty
                                                                                    • Execution Graph export aborted for target windxcmd.exe, PID 7404 because it is empty
                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                    • VT rate limit hit for: windxcmd.exe

                                                                                    Simulations

                                                                                    Behavior and APIs

                                                                                    TimeTypeDescription
                                                                                    02:55:24API Interceptor12254486x Sleep call for process: svchost.exe modified
                                                                                    07:55:26Task SchedulerRun new task: svchost path: C:\Users\user\AppData\Roaming\svchost.exe

                                                                                    Joe Sandbox View / Context

                                                                                    IPs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    208.95.112.1main.exeGet hashmaliciousBlank Grabber, SilentXMRMiner, XmrigBrowse
                                                                                    • ip-api.com/json/?fields=225545
                                                                                    _THALAT DEME DURUM.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • ip-api.com/line/?fields=hosting
                                                                                    DESIGN LOGO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • ip-api.com/line/?fields=hosting
                                                                                    file.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                    • ip-api.com/line/?fields=hosting
                                                                                    Quote GVSE24-00815.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • ip-api.com/line/?fields=hosting
                                                                                    EsgeCzT4do.exeGet hashmaliciousXWormBrowse
                                                                                    • ip-api.com/line/?fields=hosting
                                                                                    dLRcE11Dkl.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                    • ip-api.com/line/?fields=hosting
                                                                                    owuP726k3d.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                    • ip-api.com/line/?fields=hosting
                                                                                    WV7Gj9lJ7W.exeGet hashmaliciousXWormBrowse
                                                                                    • ip-api.com/line/?fields=hosting
                                                                                    18sFhgSyVK.exeGet hashmaliciousXWormBrowse
                                                                                    • ip-api.com/line/?fields=hosting

                                                                                    Domains

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    ip-api.commain.exeGet hashmaliciousBlank Grabber, SilentXMRMiner, XmrigBrowse
                                                                                    • 208.95.112.1
                                                                                    _THALAT DEME DURUM.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 208.95.112.1
                                                                                    DESIGN LOGO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 208.95.112.1
                                                                                    file.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                    • 208.95.112.1
                                                                                    Quote GVSE24-00815.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 208.95.112.1
                                                                                    EsgeCzT4do.exeGet hashmaliciousXWormBrowse
                                                                                    • 208.95.112.1
                                                                                    dLRcE11Dkl.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                    • 208.95.112.1
                                                                                    owuP726k3d.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                    • 208.95.112.1
                                                                                    WV7Gj9lJ7W.exeGet hashmaliciousXWormBrowse
                                                                                    • 208.95.112.1
                                                                                    18sFhgSyVK.exeGet hashmaliciousXWormBrowse
                                                                                    • 208.95.112.1

                                                                                    ASNs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    SPECTRAIPSpectraIPBVNLmips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                    • 45.138.53.54
                                                                                    18fvs4AVae.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                    • 45.141.26.170
                                                                                    Fulloption_V2.1.exeGet hashmaliciousXWormBrowse
                                                                                    • 45.141.27.248
                                                                                    BoostFPS.exeGet hashmaliciousXWormBrowse
                                                                                    • 45.141.27.248
                                                                                    bPRQRIfbbq.exeGet hashmaliciousUnknownBrowse
                                                                                    • 45.138.16.44
                                                                                    4Fm0sK0yKz.exeGet hashmaliciousAsyncRATBrowse
                                                                                    • 45.141.215.18
                                                                                    Payload 94.75 (3).225.exeGet hashmaliciousUnknownBrowse
                                                                                    • 45.141.215.40
                                                                                    Payload 94.75 (2).225.exeGet hashmaliciousUnknownBrowse
                                                                                    • 45.141.215.116
                                                                                    Payload 94.75 (3).225.exeGet hashmaliciousUnknownBrowse
                                                                                    • 45.138.16.76
                                                                                    Payload 94.75 (2).225.exeGet hashmaliciousUnknownBrowse
                                                                                    • 45.141.215.21
                                                                                    TUT-ASUSmain.exeGet hashmaliciousBlank Grabber, SilentXMRMiner, XmrigBrowse
                                                                                    • 208.95.112.1
                                                                                    _THALAT DEME DURUM.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 208.95.112.1
                                                                                    DESIGN LOGO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 208.95.112.1
                                                                                    file.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                    • 208.95.112.1
                                                                                    Quote GVSE24-00815.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 208.95.112.1
                                                                                    EsgeCzT4do.exeGet hashmaliciousXWormBrowse
                                                                                    • 208.95.112.1
                                                                                    dLRcE11Dkl.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                    • 208.95.112.1
                                                                                    owuP726k3d.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                    • 208.95.112.1
                                                                                    WV7Gj9lJ7W.exeGet hashmaliciousXWormBrowse
                                                                                    • 208.95.112.1
                                                                                    18sFhgSyVK.exeGet hashmaliciousXWormBrowse
                                                                                    • 208.95.112.1

                                                                                    JA3 Fingerprints

                                                                                    No context

                                                                                    Dropped Files

                                                                                    No context

                                                                                    Created / dropped Files

                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\windxcmd.exe.log

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\windxcmd.exe
                                                                                    File Type:CSV text
                                                                                    Category:dropped
                                                                                    Size (bytes):654
                                                                                    Entropy (8bit):5.380476433908377
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                    MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                    SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                    SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                    SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                    Malicious:true
                                                                                    Reputation:moderate, very likely benign file
                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                                    C:\Users\user\AppData\Roaming\svchost.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\windxcmd.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):40448
                                                                                    Entropy (8bit):5.6065495020412435
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:yvDn5gHCJiQtTZeIAIxZH9oLIbtAW0xEtF5Pa9gveOwhI33Eab:YCHMlhZDAI6kN0xMFY9gmOw+UY
                                                                                    MD5:FBC06EB9F872988CF94EC59C859FACD7
                                                                                    SHA1:B6DB9E916A0B5982C7EE5DF9417D58ABBD61808F
                                                                                    SHA-256:C1E467AC8B0AFE2AD9D5A1C5F24DB273345931C07B7E21A40ACD572C7E646BBE
                                                                                    SHA-512:DB447AEFBD7F536FBB7C9E89402AF8C76EBF9AB237557961109DF722E66776B5E02F39986B0BD4200254FCE19EE191F0CE2B1451737BA946E0F87BEDB0B8A201
                                                                                    Malicious:true
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                                                    Antivirus:
                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 83%
                                                                                    Reputation:low
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Cg............................~.... ........@.. ....................................@.................................(...S.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................`.......H........Z..TX............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                                                    C:\Users\user\AppData\Roaming\wind.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\windxcmd.exe
                                                                                    File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):3491840
                                                                                    Entropy (8bit):7.809105520751368
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:zOzR/epSFnOne5uBwoqzCr4MnYrX6AXoZNM1Ho7Fif35uA+2c/8UdhbIJYkg4Huc:zOz0YMzwQ4nqqoYWy97c/TM5g4+K
                                                                                    MD5:A43BF335D87DF0128E7DA328C6A447B7
                                                                                    SHA1:D65EB53BE51870AA31E1AB675F6AC7C8C6528F5C
                                                                                    SHA-256:60AA4E15C2F974A4EBB9ADA3A90EC6A786C77FAA993A87572308F7F7A5E9B3B6
                                                                                    SHA-512:C3446F80D932B54E0C9E527E9176658FA6B986E45D42DBF73E6652DF3FF0984E92E61D3E27CDCECDFFA75035E13CB3C0830A99078D47BE3DAD6CFB52971D1186
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 19%
                                                                                    Reputation:low
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...*. ..........."...0..45.............. .....@..... ........................5...........`...@......@............... ...............................`5. ............................R5.8............................................................ ..H............text....25.. ...45................. ..`.rsrc... ....`5......65.............@..@........................................H........&..............\....?/...........................................(.....(......(.......(......(....s....(....*:..(.....(....*..o.... ....3.(....&. ......(....&*.0..........s......Z.%..(......(......"..4C"...Bo....%..(.....Y..(......"...C"...Bo....%..(.....Y..( ....Y.."...."...Bo....%..(......( ....Y.."...B"...Bo....%o!...*.*:..(.....(....*.*2r...p("...&*.0..........r;..pra..p..@(#...&ri..p.s$...%o%...r6..po&...%o%....o'...%o%....o(...%o)...&%o*....o+...%o*...o,...%o*...o-...%

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Entropy (8bit):7.999409826341136
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                                    File name:windxcmd.exe
                                                                                    File size:3'542'528 bytes
                                                                                    MD5:65f2df92724e59cabe9cc5f12768ad93
                                                                                    SHA1:6f21c66f2c529d37b046f53b04e3fd3baf91b13b
                                                                                    SHA256:bd5f54fa6a6b85d25c93c790c1b63f28f557cb7d9c1a79cbe702df30f6d0cc07
                                                                                    SHA512:59d5584d99401502babae333b85c68b39ca027710b19d27711b083526812593cdaca14c4e68f1b4f31daabbf1c8c7881e0ccd289567bd296fc7718f8dfed78f0
                                                                                    SSDEEP:98304:L/NSW1ks76/dzpo0XxEVDixT8tgbCfBIo:L/NShxp5+ViwgbB
                                                                                    TLSH:3CF523482383B7C1E71A5BBF069633AAA544914ED9A156FE4534DB38E2241E33C353FB
                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c.Cg..................6.........~"6.. ...@6...@.. ........................6...........@................................

                                                                                    File Icon

                                                                                    Icon Hash:90cececece8e8eb0

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x76227e
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                    Time Stamp:0x67431F63 [Sun Nov 24 12:43:15 2024 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:4
                                                                                    OS Version Minor:0
                                                                                    File Version Major:4
                                                                                    File Version Minor:0
                                                                                    Subsystem Version Major:4
                                                                                    Subsystem Version Minor:0
                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    jmp dword ptr [00402000h]
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x3622300x4b.text
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x3640000x4d8.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x3660000xc.reloc
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x20000x3602840x3604008d9927e2db3793dcbb2d20b9967edf54unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                    .rsrc0x3640000x4d80x600f341932118d0526aec5c19047b4f8ba6False0.3743489583333333data3.726050043701057IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .reloc0x3660000xc0x200995a71f3866ea5420b957cf65eb7cc7bFalse0.044921875MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "6"0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                    RT_VERSION0x3640a00x244data0.4706896551724138
                                                                                    RT_MANIFEST0x3642e80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                    Imports

                                                                                    DLLImport
                                                                                    mscoree.dll_CorExeMain

                                                                                    Network Behavior

                                                                                    Suricata IDS Alerts

                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                    2024-11-25T08:55:39.249985+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:55:39.835907+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:55:39.853925+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:55:53.369724+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:55:53.369724+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:55:53.712594+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:55:53.721542+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:56:07.602597+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:56:07.604708+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:56:21.492991+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:56:21.494597+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:56:23.378688+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:56:23.378688+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:56:34.178782+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:56:34.181270+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:56:39.806194+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:56:39.819371+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:56:40.060140+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:56:40.064715+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:56:40.353195+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:56:40.355122+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:56:53.395155+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:56:53.395155+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:56:53.729778+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:56:53.732407+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:56:55.462497+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:56:55.463889+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:57:01.101843+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:57:01.104528+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:57:11.367860+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:57:11.369689+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:57:16.240004+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:57:16.240251+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:57:16.243183+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:57:16.696188+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:57:16.697744+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:57:23.384551+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:57:23.384551+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:57:23.899550+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:57:23.902579+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:57:26.023750+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:57:26.025412+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:57:33.167704+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:57:33.753603+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:57:33.786962+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:57:46.399910+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:57:46.405091+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:57:53.040127+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:57:53.232690+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:57:53.406222+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:57:53.406222+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:58:06.929942+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:58:06.931814+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:58:11.399731+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:58:11.403104+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:58:11.653910+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:58:11.690822+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:58:11.925757+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:58:12.023345+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:58:23.432884+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:58:23.432884+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:58:24.462311+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:58:24.464680+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:58:26.902453+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:58:26.904844+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:58:27.274986+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:58:27.276607+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:58:33.181717+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:58:33.183692+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:58:36.745355+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:58:36.747499+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:58:37.196123+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:58:37.198005+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:58:47.164750+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:58:47.168451+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:58:52.150218+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:58:52.152210+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:58:53.438566+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:58:53.438566+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:58:54.492682+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:58:54.494066+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:58:56.674939+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:58:56.676874+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:58:57.852047+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:58:58.351879+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:58:58.353766+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:58:58.608295+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:58:58.609837+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:59:01.462519+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:59:01.464362+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:59:08.579608+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:59:08.581856+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:59:08.833416+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:59:08.838729+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:59:09.140205+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:59:11.633875+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:59:11.635684+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:59:18.821312+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:59:18.829686+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:59:20.104054+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:59:20.107542+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:59:23.444705+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:59:23.444705+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:59:23.745977+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:59:23.750177+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:59:24.196844+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:59:24.199688+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP
                                                                                    2024-11-25T08:59:27.770571+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.449734TCP
                                                                                    2024-11-25T08:59:27.771330+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973445.141.26.1347000TCP

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Nov 25, 2024 08:55:22.901902914 CET4973280192.168.2.4208.95.112.1
                                                                                    Nov 25, 2024 08:55:23.021713018 CET8049732208.95.112.1192.168.2.4
                                                                                    Nov 25, 2024 08:55:23.021816969 CET4973280192.168.2.4208.95.112.1
                                                                                    Nov 25, 2024 08:55:23.022228003 CET4973280192.168.2.4208.95.112.1
                                                                                    Nov 25, 2024 08:55:23.141724110 CET8049732208.95.112.1192.168.2.4
                                                                                    Nov 25, 2024 08:55:24.118144035 CET8049732208.95.112.1192.168.2.4
                                                                                    Nov 25, 2024 08:55:24.167500973 CET4973280192.168.2.4208.95.112.1
                                                                                    Nov 25, 2024 08:55:25.150810957 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:55:25.270431042 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:55:25.270524979 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:55:25.359460115 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:55:25.480268002 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:55:39.249984980 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:55:39.369504929 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:55:39.835906982 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:55:39.853924990 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:55:39.973536015 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:55:53.137115002 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:55:53.256686926 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:55:53.369724035 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:55:53.417361975 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:55:53.712594032 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:55:53.721541882 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:55:53.841037989 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:56:07.027252913 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:56:07.146744013 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:56:07.602596998 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:56:07.604707956 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:56:07.724267006 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:56:09.119645119 CET8049732208.95.112.1192.168.2.4
                                                                                    Nov 25, 2024 08:56:09.119740009 CET4973280192.168.2.4208.95.112.1
                                                                                    Nov 25, 2024 08:56:20.917747021 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:56:21.037254095 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:56:21.492990971 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:56:21.494596958 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:56:21.734848976 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:56:23.378688097 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:56:23.433140039 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:56:33.602716923 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:56:33.722259045 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:56:34.178781986 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:56:34.181269884 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:56:34.300832033 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:56:39.230078936 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:56:39.350061893 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:56:39.350133896 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:56:39.469665051 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:56:39.806194067 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:56:39.819370985 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:56:39.938911915 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:56:40.060139894 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:56:40.064714909 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:56:40.184150934 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:56:40.353194952 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:56:40.355122089 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:56:40.474762917 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:56:53.152097940 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:56:53.271600962 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:56:53.395154953 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:56:53.438405037 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:56:53.729778051 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:56:53.732407093 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:56:53.852183104 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:56:54.855214119 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:56:54.975068092 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:56:55.462496996 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:56:55.463888884 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:56:55.583647966 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:00.526762009 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:57:00.646282911 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:01.101843119 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:01.104527950 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:57:01.224026918 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:04.153184891 CET4973280192.168.2.4208.95.112.1
                                                                                    Nov 25, 2024 08:57:04.272717953 CET8049732208.95.112.1192.168.2.4
                                                                                    Nov 25, 2024 08:57:10.792444944 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:57:10.911993027 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:11.367860079 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:11.369688988 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:57:11.489229918 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:15.276794910 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:57:15.396286964 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:16.091135025 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:57:16.240004063 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:16.240251064 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:16.240936041 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:16.241143942 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:57:16.243182898 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:57:16.362591982 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:16.696187973 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:16.697743893 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:57:16.817210913 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:23.324034929 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:57:23.384551048 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:23.443145990 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:57:23.443567991 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:23.899549961 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:23.902579069 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:57:24.022253990 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:25.448504925 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:57:25.568033934 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:26.023750067 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:26.025412083 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:57:26.145311117 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:33.167704105 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:57:33.287420034 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:33.753602982 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:33.786962032 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:57:33.906548977 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:45.823862076 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:57:45.943653107 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:46.399909973 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:46.405091047 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:57:46.524698973 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:52.464581013 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:57:52.584492922 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:53.040127039 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:53.213866949 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:57:53.232690096 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:57:53.352216005 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:53.406222105 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:57:53.510721922 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:06.354979992 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:06.474620104 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:06.929941893 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:06.931813955 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:07.051275969 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:10.823684931 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:10.944068909 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:10.980137110 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:11.099988937 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:11.100084066 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:11.219682932 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:11.399730921 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:11.403104067 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:11.522727013 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:11.653909922 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:11.690821886 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:11.810513973 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:11.925756931 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:12.012444973 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:12.023344994 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:12.144469023 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:23.432883978 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:23.510683060 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:23.886919022 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:24.006584883 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:24.462311029 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:24.464679956 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:24.584331036 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:26.326883078 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:26.447045088 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:26.450858116 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:26.570465088 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:26.902452946 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:26.904844046 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:27.024385929 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:27.274986029 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:27.276607037 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:27.396300077 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:32.606833935 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:32.726428986 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:33.181716919 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:33.183691978 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:33.303251028 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:36.168842077 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:36.289824963 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:36.621047020 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:36.740729094 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:36.745354891 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:36.747498989 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:36.907555103 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:37.196122885 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:37.198004961 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:37.317609072 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:46.589308023 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:46.708920002 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:47.164750099 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:47.168451071 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:47.288059950 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:51.574752092 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:51.694511890 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:52.150218010 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:52.152209997 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:52.271790028 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:53.438565969 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:53.654728889 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:53.917223930 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:54.036885023 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:54.492681980 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:54.494066000 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:54.613701105 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:56.073275089 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:56.193830013 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:56.674938917 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:56.676873922 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:56.796653032 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:57.276746035 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:57.396589041 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:57.776494980 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:57.852046967 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:57.896078110 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:57.896131992 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:58.015611887 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:58.351878881 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:58.353765965 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:58.473301888 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:58.608294964 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:58:58.609837055 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:58:58.729374886 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:00.886701107 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:59:01.006464958 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:01.462518930 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:01.464361906 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:59:01.584167004 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:07.995424986 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:59:08.115219116 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:08.115279913 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:59:08.234843969 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:08.234930992 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:59:08.355256081 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:08.579607964 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:08.581856012 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:59:08.702378988 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:08.833415985 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:08.838728905 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:59:08.958462000 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:09.136951923 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:09.140204906 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:59:09.260042906 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:09.260274887 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:59:09.380108118 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:11.058523893 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:59:11.178265095 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:11.633874893 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:11.635684013 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:59:11.755481005 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:18.246047020 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:59:18.365799904 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:18.821311951 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:18.829685926 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:59:18.949275017 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:19.510818005 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:59:19.630611897 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:20.104053974 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:20.107542038 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:59:20.227140903 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:23.090486050 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:59:23.214312077 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:23.444705009 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:23.560672998 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:59:23.621256113 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:59:23.740931034 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:23.745976925 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:23.750176907 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:59:23.911500931 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:24.196844101 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:24.199687958 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:59:24.322515965 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:27.195117950 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:59:27.314929962 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:27.770570993 CET70004973445.141.26.134192.168.2.4
                                                                                    Nov 25, 2024 08:59:27.771330118 CET497347000192.168.2.445.141.26.134
                                                                                    Nov 25, 2024 08:59:27.890924931 CET70004973445.141.26.134192.168.2.4

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Nov 25, 2024 08:55:22.757508993 CET6282453192.168.2.41.1.1.1
                                                                                    Nov 25, 2024 08:55:22.896015882 CET53628241.1.1.1192.168.2.4

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Nov 25, 2024 08:55:22.757508993 CET192.168.2.41.1.1.10x6f6cStandard query (0)ip-api.comA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Nov 25, 2024 08:55:22.896015882 CET1.1.1.1192.168.2.40x6f6cNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                                                                    HTTP Request Dependency Graph

                                                                                    • ip-api.com

                                                                                    HTTP Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.449732208.95.112.1807456C:\Users\user\AppData\Roaming\svchost.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Nov 25, 2024 08:55:23.022228003 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                    Host: ip-api.com
                                                                                    Connection: Keep-Alive
                                                                                    Nov 25, 2024 08:55:24.118144035 CET175INHTTP/1.1 200 OK
                                                                                    Date: Mon, 25 Nov 2024 07:55:23 GMT
                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                    Content-Length: 6
                                                                                    Access-Control-Allow-Origin: *
                                                                                    X-Ttl: 58
                                                                                    X-Rl: 43
                                                                                    Data Raw: 66 61 6c 73 65 0a
                                                                                    Data Ascii: false


                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:0
                                                                                    Start time:02:55:17
                                                                                    Start date:25/11/2024
                                                                                    Path:C:\Users\user\Desktop\windxcmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Users\user\Desktop\windxcmd.exe"
                                                                                    Imagebase:0xf00000
                                                                                    File size:3'542'528 bytes
                                                                                    MD5 hash:65F2DF92724E59CABE9CC5F12768AD93
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.1845441721.0000000003541000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1845441721.0000000003541000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1845441721.0000000003541000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:1
                                                                                    Start time:02:55:18
                                                                                    Start date:25/11/2024
                                                                                    Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                                                    Imagebase:0x300000
                                                                                    File size:40'448 bytes
                                                                                    MD5 hash:FBC06EB9F872988CF94EC59C859FACD7
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000001.00000000.1841139413.0000000000302000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000000.1841139413.0000000000302000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000000.1841139413.0000000000302000.00000002.00000001.01000000.00000006.sdmp, Author: ditekSHen
                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.4308288597.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                                                    Antivirus matches:
                                                                                    • Detection: 100%, Avira
                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                    • Detection: 83%, ReversingLabs
                                                                                    Reputation:low
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:2
                                                                                    Start time:02:55:18
                                                                                    Start date:25/11/2024
                                                                                    Path:C:\Users\user\AppData\Roaming\wind.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Users\user\AppData\Roaming\wind.exe"
                                                                                    Imagebase:0x1cd8cab0000
                                                                                    File size:3'491'840 bytes
                                                                                    MD5 hash:A43BF335D87DF0128E7DA328C6A447B7
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Antivirus matches:
                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                    • Detection: 19%, ReversingLabs
                                                                                    Reputation:low
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:4
                                                                                    Start time:02:55:24
                                                                                    Start date:25/11/2024
                                                                                    Path:C:\Windows\System32\schtasks.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"
                                                                                    Imagebase:0x7ff76f990000
                                                                                    File size:235'008 bytes
                                                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:5
                                                                                    Start time:02:55:24
                                                                                    Start date:25/11/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    Disassembly

                                                                                    Reset < >

                                                                                      Executed Functions

                                                                                      Function 00007FFD9B610D80 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1846639125.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b610000_windxcmd.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: H
                                                                                      • API String ID: 0-2852464175
                                                                                      • Opcode ID: 53e665ff854aae9de595bfda1e5618e72289f95767a27d36fac6bdef973c5c60
                                                                                      • Instruction ID: e3b7cf2f2431b97c4f87b5836f0fd3962e606ee3bb30c48b9218c77047fe8c76
                                                                                      • Opcode Fuzzy Hash: 53e665ff854aae9de595bfda1e5618e72289f95767a27d36fac6bdef973c5c60
                                                                                      • Instruction Fuzzy Hash: 3631966284E3C65FC71397B08CB64A17FB09E4762070E44EBD8D4CF4A3D51C6A9AC762
                                                                                      Function 00007FFD9B6110ED Relevance: .4, Instructions: 426COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1846639125.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b610000_windxcmd.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d259128b5e1a27755c73130fac29bbeff0e850f6ed1a850c0199278eae0df35b
                                                                                      • Instruction ID: 8ade59178904e8eb4f09c3df27fd7c51517d0c626e64a18b34196eba7233a1b0
                                                                                      • Opcode Fuzzy Hash: d259128b5e1a27755c73130fac29bbeff0e850f6ed1a850c0199278eae0df35b
                                                                                      • Instruction Fuzzy Hash: B731D421B0DA894FEB95FB6848696B87BE1EF59301B0900BBD45DC72E7DD14AC018741
                                                                                      Function 00007FFD9B6109F7 Relevance: .2, Instructions: 220COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1846639125.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b610000_windxcmd.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3839d167eccdc8e98a7270807924fc349f9f8e6772eb6f0303c61e82d8bad8f1
                                                                                      • Instruction ID: 0d7a22b4dc747657cbf21bb223d21780f1fa98168192216d86932ac30aebed60
                                                                                      • Opcode Fuzzy Hash: 3839d167eccdc8e98a7270807924fc349f9f8e6772eb6f0303c61e82d8bad8f1
                                                                                      • Instruction Fuzzy Hash: 7A715D30B1990D8FDB98EB68C468BAD77E2FF54305F114579E06AD72E1CF38A9428B40
                                                                                      Function 00007FFD9B610498 Relevance: .1, Instructions: 91COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1846639125.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b610000_windxcmd.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: cded3e716d79fae2d9dcac0dce10676c08388bff36dba91b75b32700a6b2957a
                                                                                      • Instruction ID: 6504c38dfce7a4af7b89e83a9f56bd6fc7b5383028251b61cf7c8333c2428961
                                                                                      • Opcode Fuzzy Hash: cded3e716d79fae2d9dcac0dce10676c08388bff36dba91b75b32700a6b2957a
                                                                                      • Instruction Fuzzy Hash: 7F21A731B1895D4FEB94FB6C88A9ABD73D2EF98305B44007AE41DD32A7DE24A8418740
                                                                                      Function 00007FFD9B610E71 Relevance: .1, Instructions: 51COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1846639125.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b610000_windxcmd.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b4a7a15b577afc4ed52baab58d5d4aff610f8907825b4ff5fbbd67e031cba0f9
                                                                                      • Instruction ID: 80c50bc5912517e8e81d3846b6d54a14f7f7b88e800e583cb53b3805c3de06ae
                                                                                      • Opcode Fuzzy Hash: b4a7a15b577afc4ed52baab58d5d4aff610f8907825b4ff5fbbd67e031cba0f9
                                                                                      • Instruction Fuzzy Hash: 9C014E31B1E6894FD794E739986596973D1EF48708F010079D05DC72D6EE2CB8418782
                                                                                      Function 00007FFD9B6104B0 Relevance: .0, Instructions: 45COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1846639125.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b610000_windxcmd.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f2212f039560689636d6f536f3d6be61308dfd4febf5ce4978dac2afcde567af
                                                                                      • Instruction ID: a828c5f460762613df7def245f3a3d740b408e48157fedec2ec37ab0a771dc4b
                                                                                      • Opcode Fuzzy Hash: f2212f039560689636d6f536f3d6be61308dfd4febf5ce4978dac2afcde567af
                                                                                      • Instruction Fuzzy Hash: 33F0F930B1D5194FD694E729986596973D1EB88708B500039D01EC3299DE2CB9424BC2
                                                                                      Function 00007FFD9B6104A8 Relevance: .0, Instructions: 45COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1846639125.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b610000_windxcmd.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f48322b06975a898d07c507ca0ac173b97d9a4facd3227a7a909b057ce1dc88a
                                                                                      • Instruction ID: e64923373f75c22d4e0e7369ed35884d7fbcf24128b38b921ec4d49d57068751
                                                                                      • Opcode Fuzzy Hash: f48322b06975a898d07c507ca0ac173b97d9a4facd3227a7a909b057ce1dc88a
                                                                                      • Instruction Fuzzy Hash: 4DF0F930B1E5594AD794E739985197933D1DF88708F100575D01DC329ADD28B84247C1
                                                                                      Function 00007FFD9B610F3F Relevance: .0, Instructions: 30COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1846639125.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b610000_windxcmd.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d982e96f5aa02b1fd458530c518739aeb1530a2bb7edf7be4d13645956640126
                                                                                      • Instruction ID: ed73fb83351e37e03a2e736d758d7dad236eaf9b9b91f26085463f70056bfe5b
                                                                                      • Opcode Fuzzy Hash: d982e96f5aa02b1fd458530c518739aeb1530a2bb7edf7be4d13645956640126
                                                                                      • Instruction Fuzzy Hash: 3EE08602F5D8094BFB9869AC28762B8B7C1EB98614F415035E01DC22DBEC19AC824241

                                                                                      Execution Graph

                                                                                      Execution Coverage:21.8%
                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                      Signature Coverage:23.1%
                                                                                      Total number of Nodes:13
                                                                                      Total number of Limit Nodes:0

                                                                                      Executed Functions

                                                                                      Function 00007FFD9B60C794 Relevance: 2.4, Strings: 1, Instructions: 1101COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 0 7ffd9b60c794-7ffd9b60c7e5 call 7ffd9b600638 6 7ffd9b60c7e7-7ffd9b60c804 0->6 7 7ffd9b60c85b 0->7 8 7ffd9b60c860-7ffd9b60c875 6->8 10 7ffd9b60c806-7ffd9b60c856 call 7ffd9b60b4a0 6->10 7->8 12 7ffd9b60c893-7ffd9b60c8a8 8->12 13 7ffd9b60c877-7ffd9b60c88e call 7ffd9b600828 call 7ffd9b600648 8->13 32 7ffd9b60d49b-7ffd9b60d4a9 10->32 19 7ffd9b60c8df-7ffd9b60c8f4 12->19 20 7ffd9b60c8aa-7ffd9b60c8da call 7ffd9b600828 12->20 13->32 30 7ffd9b60c8f6-7ffd9b60c902 call 7ffd9b60ab48 19->30 31 7ffd9b60c907-7ffd9b60c91c 19->31 20->32 30->32 38 7ffd9b60c91e-7ffd9b60c921 31->38 39 7ffd9b60c962-7ffd9b60c977 31->39 38->7 41 7ffd9b60c927-7ffd9b60c932 38->41 45 7ffd9b60c9b8-7ffd9b60c9cd 39->45 46 7ffd9b60c979-7ffd9b60c97c 39->46 41->7 42 7ffd9b60c938-7ffd9b60c95d call 7ffd9b600620 call 7ffd9b60ab48 41->42 42->32 53 7ffd9b60c9cf-7ffd9b60c9d2 45->53 54 7ffd9b60c9fa-7ffd9b60ca0f 45->54 46->7 47 7ffd9b60c982-7ffd9b60c98d 46->47 47->7 49 7ffd9b60c993-7ffd9b60c9b3 call 7ffd9b600620 call 7ffd9b6090a0 47->49 49->32 53->7 57 7ffd9b60c9d8-7ffd9b60c9f5 call 7ffd9b600620 call 7ffd9b6090a8 53->57 62 7ffd9b60ca15-7ffd9b60ca61 call 7ffd9b6005a8 54->62 63 7ffd9b60cae7-7ffd9b60cafc 54->63 57->32 62->7 97 7ffd9b60ca67-7ffd9b60ca96 62->97 72 7ffd9b60cafe-7ffd9b60cb01 63->72 73 7ffd9b60cb1b-7ffd9b60cb30 63->73 72->7 76 7ffd9b60cb07-7ffd9b60cb16 call 7ffd9b609080 72->76 80 7ffd9b60cb52-7ffd9b60cb67 73->80 81 7ffd9b60cb32-7ffd9b60cb35 73->81 76->32 88 7ffd9b60cb87-7ffd9b60cb9c 80->88 89 7ffd9b60cb69-7ffd9b60cb82 80->89 81->7 83 7ffd9b60cb3b-7ffd9b60cb4d call 7ffd9b609080 81->83 83->32 94 7ffd9b60cb9e-7ffd9b60cbb7 88->94 95 7ffd9b60cbbc-7ffd9b60cbd1 88->95 89->32 94->32 101 7ffd9b60cbf1-7ffd9b60cc06 95->101 102 7ffd9b60cbd3-7ffd9b60cbec 95->102 107 7ffd9b60cc2f-7ffd9b60cc44 101->107 108 7ffd9b60cc08-7ffd9b60cc0b 101->108 102->32 112 7ffd9b60cce4-7ffd9b60ccf9 107->112 113 7ffd9b60cc4a-7ffd9b60cc63 107->113 108->7 109 7ffd9b60cc11-7ffd9b60cc2a 108->109 109->32 117 7ffd9b60cd11-7ffd9b60cd26 112->117 118 7ffd9b60ccfb-7ffd9b60cd0c 112->118 113->112 121 7ffd9b60cdc6-7ffd9b60cddb 117->121 122 7ffd9b60cd2c-7ffd9b60cda4 117->122 118->32 125 7ffd9b60cddd-7ffd9b60cdee 121->125 126 7ffd9b60cdf3-7ffd9b60ce08 121->126 122->7 148 7ffd9b60cdaa-7ffd9b60cdc1 122->148 125->32 132 7ffd9b60ce3a-7ffd9b60ce4f 126->132 133 7ffd9b60ce0a-7ffd9b60ce35 call 7ffd9b600af0 call 7ffd9b60b4a0 126->133 138 7ffd9b60ce55-7ffd9b60cf27 call 7ffd9b600af0 call 7ffd9b60b4a0 132->138 139 7ffd9b60cf2c-7ffd9b60cf41 132->139 133->32 138->32 146 7ffd9b60cf47-7ffd9b60cf4a 139->146 147 7ffd9b60d008-7ffd9b60d01d 139->147 150 7ffd9b60cffd-7ffd9b60d002 146->150 151 7ffd9b60cf50-7ffd9b60cf5b 146->151 157 7ffd9b60d01f-7ffd9b60d02c call 7ffd9b60b4a0 147->157 158 7ffd9b60d031-7ffd9b60d046 147->158 148->32 163 7ffd9b60d003 150->163 151->150 154 7ffd9b60cf61-7ffd9b60cffb call 7ffd9b600af0 call 7ffd9b60b4a0 151->154 154->163 157->32 167 7ffd9b60d0bd-7ffd9b60d0d2 158->167 168 7ffd9b60d048-7ffd9b60d059 158->168 163->32 176 7ffd9b60d112-7ffd9b60d127 167->176 177 7ffd9b60d0d4-7ffd9b60d0d7 167->177 168->7 174 7ffd9b60d05f-7ffd9b60d06f call 7ffd9b600618 168->174 190 7ffd9b60d071-7ffd9b60d096 call 7ffd9b60b4a0 174->190 191 7ffd9b60d09b-7ffd9b60d0b8 call 7ffd9b600618 call 7ffd9b600620 call 7ffd9b609058 174->191 188 7ffd9b60d16d-7ffd9b60d182 176->188 189 7ffd9b60d129-7ffd9b60d156 call 7ffd9b60b160 call 7ffd9b6097a0 176->189 177->7 181 7ffd9b60d0dd-7ffd9b60d10d call 7ffd9b600610 call 7ffd9b600620 call 7ffd9b609058 177->181 181->32 205 7ffd9b60d222-7ffd9b60d237 188->205 206 7ffd9b60d188-7ffd9b60d21d call 7ffd9b600af0 call 7ffd9b60b4a0 188->206 220 7ffd9b60d15b-7ffd9b60d168 call 7ffd9b609060 189->220 190->32 191->32 205->32 219 7ffd9b60d23d-7ffd9b60d244 205->219 206->32 225 7ffd9b60d246-7ffd9b60d250 call 7ffd9b60ab68 219->225 226 7ffd9b60d257-7ffd9b60d371 call 7ffd9b60ab78 call 7ffd9b60ab88 call 7ffd9b60ab98 call 7ffd9b60aba8 call 7ffd9b607ac0 call 7ffd9b60abb8 call 7ffd9b60ab88 call 7ffd9b60ab98 219->226 220->32 225->226 274 7ffd9b60d3e2-7ffd9b60d3f1 226->274 275 7ffd9b60d373-7ffd9b60d377 226->275 276 7ffd9b60d3f8-7ffd9b60d49a call 7ffd9b600af0 call 7ffd9b600628 call 7ffd9b60b4a0 274->276 275->276 277 7ffd9b60d379-7ffd9b60d3d8 call 7ffd9b60abc8 call 7ffd9b60abd8 275->277 276->32 277->274
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.4319930887.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffd9b600000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID: 0-3916222277
                                                                                      • Opcode ID: 3d280451b3b7249ea671043e83b7e0f227bf829c0275a01703c0fe909bad9101
                                                                                      • Instruction ID: 98771f8f90fb11a20edb76d78c26b1d2c80ee4fc338d1b8af3b1b5a1231b3e30
                                                                                      • Opcode Fuzzy Hash: 3d280451b3b7249ea671043e83b7e0f227bf829c0275a01703c0fe909bad9101
                                                                                      • Instruction Fuzzy Hash: 4C72F530F1D50E4BEB68EBBA8462A7972D2FF89310F554578D46EC72D6DE38B8028741
                                                                                      Function 00007FFD9B606D21 Relevance: 1.9, APIs: 1, Instructions: 384COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.4319930887.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffd9b600000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID: CheckDebuggerPresentRemote
                                                                                      • String ID:
                                                                                      • API String ID: 3662101638-0
                                                                                      • Opcode ID: 9043e3776fc03d8bbe4954d5ca85373896bc80d1b04bea2c6db0e81672b3c935
                                                                                      • Instruction ID: 23dbe1fabe5c9421741b4a5faec2c8d4572d999230edf5897010d00156dc3ecc
                                                                                      • Opcode Fuzzy Hash: 9043e3776fc03d8bbe4954d5ca85373896bc80d1b04bea2c6db0e81672b3c935
                                                                                      • Instruction Fuzzy Hash: 8CC1253090978C8FDB59DF68C8557E97BE0FF56310F0542ABE889C72A2DB34A945CB81
                                                                                      Function 00007FFD9B605776 Relevance: .5, Instructions: 472COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 842 7ffd9b605776-7ffd9b605783 843 7ffd9b605785-7ffd9b60578d 842->843 844 7ffd9b60578e-7ffd9b605857 842->844 843->844 848 7ffd9b605859-7ffd9b605862 844->848 849 7ffd9b6058c3 844->849 848->849 851 7ffd9b605864-7ffd9b605870 848->851 850 7ffd9b6058c5-7ffd9b6058ea 849->850 858 7ffd9b6058ec-7ffd9b6058f5 850->858 859 7ffd9b605956 850->859 852 7ffd9b6058a9-7ffd9b6058c1 851->852 853 7ffd9b605872-7ffd9b605884 851->853 852->850 855 7ffd9b605888-7ffd9b60589b 853->855 856 7ffd9b605886 853->856 855->855 857 7ffd9b60589d-7ffd9b6058a5 855->857 856->855 857->852 858->859 860 7ffd9b6058f7-7ffd9b605903 858->860 861 7ffd9b605958-7ffd9b605a00 859->861 862 7ffd9b60593c-7ffd9b605954 860->862 863 7ffd9b605905-7ffd9b605917 860->863 872 7ffd9b605a02-7ffd9b605a0c 861->872 873 7ffd9b605a6e 861->873 862->861 865 7ffd9b60591b-7ffd9b60592e 863->865 866 7ffd9b605919 863->866 865->865 868 7ffd9b605930-7ffd9b605938 865->868 866->865 868->862 872->873 875 7ffd9b605a0e-7ffd9b605a1b 872->875 874 7ffd9b605a70-7ffd9b605a99 873->874 881 7ffd9b605a9b-7ffd9b605aa6 874->881 882 7ffd9b605b03 874->882 876 7ffd9b605a54-7ffd9b605a6c 875->876 877 7ffd9b605a1d-7ffd9b605a2f 875->877 876->874 879 7ffd9b605a33-7ffd9b605a46 877->879 880 7ffd9b605a31 877->880 879->879 883 7ffd9b605a48-7ffd9b605a50 879->883 880->879 881->882 884 7ffd9b605aa8-7ffd9b605ab6 881->884 885 7ffd9b605b05-7ffd9b605b96 882->885 883->876 886 7ffd9b605ab8-7ffd9b605aca 884->886 887 7ffd9b605aef-7ffd9b605b01 884->887 893 7ffd9b605b9c-7ffd9b605bab 885->893 888 7ffd9b605acc 886->888 889 7ffd9b605ace-7ffd9b605ae1 886->889 887->885 888->889 889->889 891 7ffd9b605ae3-7ffd9b605aeb 889->891 891->887 894 7ffd9b605bb3-7ffd9b605c18 call 7ffd9b605c34 893->894 895 7ffd9b605bad 893->895 902 7ffd9b605c1a 894->902 903 7ffd9b605c1f-7ffd9b605c32 894->903 895->894 902->903
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.4319930887.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffd9b600000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e4ede316da15ccc5824801618a65a5f8f7b0d0da60404677735c786e42f8e9e9
                                                                                      • Instruction ID: 61fab33b207dd1f1bcd1231cd7a22f7209fa0aa383056d92886b3b02b3d8f5f5
                                                                                      • Opcode Fuzzy Hash: e4ede316da15ccc5824801618a65a5f8f7b0d0da60404677735c786e42f8e9e9
                                                                                      • Instruction Fuzzy Hash: 99F1D730A0DA8D8FEBA8DF29C8957E937D1FF55310F04426EE85DC7295DB34A9448B81
                                                                                      Function 00007FFD9B606522 Relevance: .5, Instructions: 458COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 904 7ffd9b606522-7ffd9b60652f 905 7ffd9b60653a-7ffd9b606607 904->905 906 7ffd9b606531-7ffd9b606539 904->906 910 7ffd9b606609-7ffd9b606612 905->910 911 7ffd9b606673 905->911 906->905 910->911 913 7ffd9b606614-7ffd9b606620 910->913 912 7ffd9b606675-7ffd9b60669a 911->912 919 7ffd9b60669c-7ffd9b6066a5 912->919 920 7ffd9b606706 912->920 914 7ffd9b606659-7ffd9b606671 913->914 915 7ffd9b606622-7ffd9b606634 913->915 914->912 917 7ffd9b606638-7ffd9b60664b 915->917 918 7ffd9b606636 915->918 917->917 921 7ffd9b60664d-7ffd9b606655 917->921 918->917 919->920 922 7ffd9b6066a7-7ffd9b6066b3 919->922 923 7ffd9b606708-7ffd9b60672d 920->923 921->914 924 7ffd9b6066ec-7ffd9b606704 922->924 925 7ffd9b6066b5-7ffd9b6066c7 922->925 929 7ffd9b60679b 923->929 930 7ffd9b60672f-7ffd9b606739 923->930 924->923 926 7ffd9b6066cb-7ffd9b6066de 925->926 927 7ffd9b6066c9 925->927 926->926 931 7ffd9b6066e0-7ffd9b6066e8 926->931 927->926 933 7ffd9b60679d-7ffd9b6067cb 929->933 930->929 932 7ffd9b60673b-7ffd9b606748 930->932 931->924 934 7ffd9b60674a-7ffd9b60675c 932->934 935 7ffd9b606781-7ffd9b606799 932->935 940 7ffd9b60683b 933->940 941 7ffd9b6067cd-7ffd9b6067d8 933->941 936 7ffd9b606760-7ffd9b606773 934->936 937 7ffd9b60675e 934->937 935->933 936->936 939 7ffd9b606775-7ffd9b60677d 936->939 937->936 939->935 942 7ffd9b60683d-7ffd9b606915 940->942 941->940 943 7ffd9b6067da-7ffd9b6067e8 941->943 953 7ffd9b60691b-7ffd9b60692a 942->953 944 7ffd9b6067ea-7ffd9b6067fc 943->944 945 7ffd9b606821-7ffd9b606839 943->945 947 7ffd9b606800-7ffd9b606813 944->947 948 7ffd9b6067fe 944->948 945->942 947->947 949 7ffd9b606815-7ffd9b60681d 947->949 948->947 949->945 954 7ffd9b60692c 953->954 955 7ffd9b606932-7ffd9b606994 call 7ffd9b6069b0 953->955 954->955 962 7ffd9b60699b-7ffd9b6069ae 955->962 963 7ffd9b606996 955->963 963->962
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.4319930887.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffd9b600000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: adf29b8f18fbfdad204ca68a9aca3c755844a892096d5262c21b401b7e540502
                                                                                      • Instruction ID: 1d09c1c8cd555c89d26502d69b050a75f40c516ea21e589b3bc1a91503273dd4
                                                                                      • Opcode Fuzzy Hash: adf29b8f18fbfdad204ca68a9aca3c755844a892096d5262c21b401b7e540502
                                                                                      • Instruction Fuzzy Hash: F7E1E630A19A8D8FEBA8DF29C8657E93BD1FF55310F04426EE85DC7295CF74A9408782
                                                                                      Function 00007FFD9B601631 Relevance: .4, Instructions: 395COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.4319930887.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffd9b600000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5485e8aa05f8fbe053c6db650701cd8d903599f2148cad2af0f07d2dcfad8337
                                                                                      • Instruction ID: c51d9b6d5f340def7f0bb3039ed60d2a6e5e96bc082694fe9f257d1928d133db
                                                                                      • Opcode Fuzzy Hash: 5485e8aa05f8fbe053c6db650701cd8d903599f2148cad2af0f07d2dcfad8337
                                                                                      • Instruction Fuzzy Hash: 1BC1C520B1D90D4FEB98EB6E84757B977D2EF9A300F45417AE09DC72E6DE28B9014341
                                                                                      Function 00007FFD9B608958 Relevance: 1.8, APIs: 1, Instructions: 267COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 497 7ffd9b608958-7ffd9b60895c 498 7ffd9b60895e-7ffd9b6089a7 497->498 499 7ffd9b6089b3-7ffd9b608a28 497->499 498->499 507 7ffd9b608a32-7ffd9b608a64 499->507 508 7ffd9b608a2a-7ffd9b608a2f 499->508 510 7ffd9b608a66 507->510 511 7ffd9b608a6c-7ffd9b608a9f 507->511 508->507 510->511 513 7ffd9b608aa1-7ffd9b608aa9 511->513 514 7ffd9b608aaa-7ffd9b608b1d 511->514 513->514 517 7ffd9b608b23-7ffd9b608b28 514->517 518 7ffd9b608ba9-7ffd9b608bad 514->518 520 7ffd9b608b2f-7ffd9b608b30 517->520 519 7ffd9b608b32-7ffd9b608b6f SetWindowsHookExW 518->519 521 7ffd9b608b71 519->521 522 7ffd9b608b77-7ffd9b608ba8 519->522 520->519 521->522
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.4319930887.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffd9b600000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 449b7cacbc73ff2f41adf7b2c02ac948ae87633f1215d78218c4e02a10dbbd3e
                                                                                      • Instruction ID: a3e0f8df4b5789b6b6051dd84affe522cce45d29fb398d85ee27c9f86950f691
                                                                                      • Opcode Fuzzy Hash: 449b7cacbc73ff2f41adf7b2c02ac948ae87633f1215d78218c4e02a10dbbd3e
                                                                                      • Instruction Fuzzy Hash: 9971D430A0DA5C8FDB58EB59D8556F9BBE1FF59321F04427BD059C3292CB74A811CB81
                                                                                      Function 00007FFD9B6089AD Relevance: 1.8, APIs: 1, Instructions: 251COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 525 7ffd9b6089ad-7ffd9b608a28 530 7ffd9b608a32-7ffd9b608a64 525->530 531 7ffd9b608a2a-7ffd9b608a2f 525->531 533 7ffd9b608a66 530->533 534 7ffd9b608a6c-7ffd9b608a9f 530->534 531->530 533->534 536 7ffd9b608aa1-7ffd9b608aa9 534->536 537 7ffd9b608aaa-7ffd9b608b1d 534->537 536->537 540 7ffd9b608b23-7ffd9b608b28 537->540 541 7ffd9b608ba9-7ffd9b608bad 537->541 543 7ffd9b608b2f-7ffd9b608b30 540->543 542 7ffd9b608b32-7ffd9b608b6f SetWindowsHookExW 541->542 544 7ffd9b608b71 542->544 545 7ffd9b608b77-7ffd9b608ba8 542->545 543->542 544->545
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.4319930887.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffd9b600000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID: HookWindows
                                                                                      • String ID:
                                                                                      • API String ID: 2559412058-0
                                                                                      • Opcode ID: 1f05eab89984ebca46c425d4fa635855aac93fa56034591fed6e83c6ba9b9973
                                                                                      • Instruction ID: 751eb2e713ca722449de8193e15c7f3d7eb5d69188228761d3a856faa1c7d9ef
                                                                                      • Opcode Fuzzy Hash: 1f05eab89984ebca46c425d4fa635855aac93fa56034591fed6e83c6ba9b9973
                                                                                      • Instruction Fuzzy Hash: 0E61F730A0CA5C8FDB18DB6CD859AF9BBE1EF55311F04426FD049C3692CB74A805CB81
                                                                                      Function 00007FFD9B608791 Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 548 7ffd9b608791-7ffd9b608795 549 7ffd9b608797-7ffd9b608798 548->549 550 7ffd9b60879a-7ffd9b6087a9 548->550 549->550 551 7ffd9b6087ab 550->551 552 7ffd9b6087ac-7ffd9b608870 RtlSetProcessIsCritical 550->552 551->552 555 7ffd9b608872 552->555 556 7ffd9b608878-7ffd9b6088ad 552->556 555->556
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.4319930887.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffd9b600000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalProcess
                                                                                      • String ID:
                                                                                      • API String ID: 2695349919-0
                                                                                      • Opcode ID: 47dc498e9a4b01401f4c7c111799f8b27b0ca2cb35847dd185a46f598d65a314
                                                                                      • Instruction ID: 7595279675a9986cfd47cbb4463d916a69f8206ee7a5d13cd062c590fc486995
                                                                                      • Opcode Fuzzy Hash: 47dc498e9a4b01401f4c7c111799f8b27b0ca2cb35847dd185a46f598d65a314
                                                                                      • Instruction Fuzzy Hash: 3441233190C6588FDB29DB989855AF97BF0EF56311F04416EE09AC3692CB74A842CB91

                                                                                      Executed Functions

                                                                                      Function 00007FFD9B631228 Relevance: 1.7, Strings: 1, Instructions: 455COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.4330079382.00007FFD9B630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_7ffd9b630000_wind.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: (M_H
                                                                                      • API String ID: 0-2040843879
                                                                                      • Opcode ID: ef7730bb17c8b0f9d463f70208806f19b372977f9d6d8c9b04e9c8bd1d08d28f
                                                                                      • Instruction ID: d2bb8f33b1573b795d53f6eac5073784016979b0a5340a536671f01ee19ef8a1
                                                                                      • Opcode Fuzzy Hash: ef7730bb17c8b0f9d463f70208806f19b372977f9d6d8c9b04e9c8bd1d08d28f
                                                                                      • Instruction Fuzzy Hash: B2E1CF70709A488FE399EB3884A57A977D2FF98301F5540BAD45ECB2A6CE34F942C700
                                                                                      Function 00007FFD9B6308CD Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.4330079382.00007FFD9B630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_7ffd9b630000_wind.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: YQ^
                                                                                      • API String ID: 0-3234958509
                                                                                      • Opcode ID: 32a1a83725f0e848621748f981c702486443bde1dc2a267d9e08b98ae62e3cfd
                                                                                      • Instruction ID: b22b91b0b07165f4f0e987c5f229b84138138918b6c068f51cfa3f5d17a84c08
                                                                                      • Opcode Fuzzy Hash: 32a1a83725f0e848621748f981c702486443bde1dc2a267d9e08b98ae62e3cfd
                                                                                      • Instruction Fuzzy Hash: 02416B52F0F68A0FF7689B6858322AC7BD0EF95740B4540BBD0A8CB1E7DD14B90D8385
                                                                                      Function 00007FFD9B6316C3 Relevance: .2, Instructions: 203COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.4330079382.00007FFD9B630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_7ffd9b630000_wind.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e5f4dd3357edbf325195f3f3357c3a62d337fd8f7acf9958f81058a0fc0b78cb
                                                                                      • Instruction ID: d8746446eb562153b02a83ba2fd7194f3c377255755a1a8e9137e6068fecab09
                                                                                      • Opcode Fuzzy Hash: e5f4dd3357edbf325195f3f3357c3a62d337fd8f7acf9958f81058a0fc0b78cb
                                                                                      • Instruction Fuzzy Hash: 04510731B0EA4C8FE7A9EB288421AAD77D2FF98700F4541B9D05DCB2A6DD34F9458340
                                                                                      Function 00007FFD9B631543 Relevance: .2, Instructions: 156COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.4330079382.00007FFD9B630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_7ffd9b630000_wind.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e6b913d1d816992788543b450b2d5a0a62a7fc011885933dceb8f12ab9c7eada
                                                                                      • Instruction ID: 8ef76e4ad26e30383eb80c30304dcc9007b671ba20e4b19db7cf38e6cd5da63e
                                                                                      • Opcode Fuzzy Hash: e6b913d1d816992788543b450b2d5a0a62a7fc011885933dceb8f12ab9c7eada
                                                                                      • Instruction Fuzzy Hash: D451BF70709A488FD799EB28C454B69B7E2FF99301F5541BAD45ECB2A6CE34E9828700
                                                                                      Function 00007FFD9B631D07 Relevance: .1, Instructions: 115COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.4330079382.00007FFD9B630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_7ffd9b630000_wind.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5a9a90e49a86a4c27da551b8578232096e79513b1198318cfb4c4cb76699c075
                                                                                      • Instruction ID: 9f729760bfb6df32fd4a2b75bb69bd435ae8431766a22b7892fcbdfcc5715e10
                                                                                      • Opcode Fuzzy Hash: 5a9a90e49a86a4c27da551b8578232096e79513b1198318cfb4c4cb76699c075
                                                                                      • Instruction Fuzzy Hash: F5317166F2F20A07E73C99885C631B87381EB86711F55063DD9EA4A3DAEE0C761B41C7
                                                                                      Function 00007FFD9B631173 Relevance: .1, Instructions: 79COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.4330079382.00007FFD9B630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_7ffd9b630000_wind.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1b74764dbf78668bb31da1ed3f6bb348973650b0776b42b5ab484a55070c0eb1
                                                                                      • Instruction ID: ebd59af267b8ad4300cf40ab7933005d6214854e97f2ab8a4c3d64a525c30de3
                                                                                      • Opcode Fuzzy Hash: 1b74764dbf78668bb31da1ed3f6bb348973650b0776b42b5ab484a55070c0eb1
                                                                                      • Instruction Fuzzy Hash: B6213DA3F0FA8B1FE76596B808795B12BA1EF6139070A01B7D469DF1E7DD147C058350
                                                                                      Function 00007FFD9B6307B5 Relevance: .1, Instructions: 74COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.4330079382.00007FFD9B630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_7ffd9b630000_wind.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ccd13e21ea48d10fcd82c31bf82d3bfafda1210fd7edb2e265cfc8ec5b5b07e9
                                                                                      • Instruction ID: c0b0530977c4e31ebbb8bfee3bd4b3558ed0f68c3a7fc6522828b63d0fd4b0e6
                                                                                      • Opcode Fuzzy Hash: ccd13e21ea48d10fcd82c31bf82d3bfafda1210fd7edb2e265cfc8ec5b5b07e9
                                                                                      • Instruction Fuzzy Hash: 5E21DB52B0EBC64BF76622B818762A87FA0DF53654B0E01F7C5E98D0D7DC1D694A8341
                                                                                      Function 00007FFD9B630935 Relevance: .0, Instructions: 35COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.4330079382.00007FFD9B630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_7ffd9b630000_wind.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6015efb62b3c5ad6075e82470966233dda4c08a97f315182a27b0bce562d0afa
                                                                                      • Instruction ID: 6ad87fece95ca84999b67ca674ac0722635d080d55bff75a7d365e4c00e715da
                                                                                      • Opcode Fuzzy Hash: 6015efb62b3c5ad6075e82470966233dda4c08a97f315182a27b0bce562d0afa
                                                                                      • Instruction Fuzzy Hash: 84E09211F1E90E0AF679E15C68633FD62C2DBC8610F510679D89EC6299EC187A8B42C2
                                                                                      Function 00007FFD9B630888 Relevance: .0, Instructions: 27COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000002.00000002.4330079382.00007FFD9B630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_2_2_7ffd9b630000_wind.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 574dda8dcdce1b75f66b67611c25600ba630913d42fd5b2e532bd866ff531d5e
                                                                                      • Instruction ID: 9a8fb739fb8322a2e11ad0cea7e047c5f5d4b86879f3b0e53fd67244c498b149
                                                                                      • Opcode Fuzzy Hash: 574dda8dcdce1b75f66b67611c25600ba630913d42fd5b2e532bd866ff531d5e
                                                                                      • Instruction Fuzzy Hash: E5E0DF12F0984A06FBAC726C20A33FC2282DF94760F441177E52EC91DAED0D39820284