Windows Analysis Report
55ryoipjfdr.exe

Overview

General Information

Sample name: 55ryoipjfdr.exe
Analysis ID: 1592535
MD5: f0b9f50c6a247ac5ca9cc95135b83dcf
SHA1: c1b276883da10fa2bf1c37a3851781e5c702a601
SHA256: 068af8016c36fce5cf1e1a4722c1dc0d6e02cb6ed58b61c2ba99a54d294cc274
Tags: exemalwareRansomwareuser-Joker
Infos:

Detection

Trickbot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Trickbot e-Banking trojan config
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Trickbot
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Yara detected PersistenceViaHiddenTask
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
TrickBot A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.- Q4 2016 - Detected in wildOct 2016 - 1st Report2017 - Trickbot primarily uses Necurs as vehicle for installs.Jan 2018 - Use XMRIG (Monero) minerFeb 2018 - Theft BitcoinMar 2018 - Unfinished ransomware moduleQ3/4 2018 - Trickbot starts being spread through Emotet.Infection Vector1. Phish > Link MS Office > Macro Enabled > Downloader > Trickbot2. Phish > Attached MS Office > Macro Enabled > Downloader > Trickbot3. Phish > Attached MS Office > Macro enabled > Trickbot installed
  • TA505
  • UNC1878
  • WIZARD SPIDER
 https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 55ryoipjfdr.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Avira: detection malicious, Label: HEUR/AGEN.1315497
Found malware configuration
Source: 6.2.svchost.exe.140000000.0.unpack Malware Configuration Extractor: Trickbot {"ver": "1000047", "gtag": "mac1", "servs": ["91.83.88.51:449", "193.19.118.207:443", "185.15.245.102:443", "185.15.245.103:443", "199.48.160.60:443", "195.133.48.80:443", "147.135.196.128:443", "194.87.95.120:443", "194.87.99.62:443", "194.87.239.114:443", "94.242.224.218:443", "195.133.147.135:443", "185.158.113.62:443", "194.87.146.180:443", "194.87.99.220:443", "194.87.95.122:443", "194.87.111.6:443", "195.133.197.187:443", "194.87.99.210:443", "169.239.129.42:443", "178.156.202.97:443"], "ecc_key": "RUNTMzAAAADzIIbbIE3wcze1+xiwwK+Au/P78UrAO8YAHyPvHEwGVKOPphl8QVfrC7x/QaFYeXANw6E4HF7ietEp+7ZVQdWOx8c+HvO0Z2PTUPVbX9HAVrg4h9u1RNfhOHk+YysDLsg="}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe ReversingLabs: Detection: 94%
Multi AV Scanner detection for submitted file
Source: 55ryoipjfdr.exe Virustotal: Detection: 90% Perma Link
Source: 55ryoipjfdr.exe ReversingLabs: Detection: 94%
Yara detected Trickbot
Source: Yara match File source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: svchost.exe PID: 5496, type: MEMORYSTR
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 55ryoipjfdr.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\svchost.exe Code function: 6_2_0000000140007340 memcpy,HeapFree,CryptReleaseContext, 6_2_0000000140007340
Source: C:\Windows\System32\svchost.exe Code function: 6_2_0000000140006FB0 HeapFree,CryptReleaseContext, 6_2_0000000140006FB0
Source: C:\Windows\System32\svchost.exe Code function: 8_2_0000000140006FB0 HeapFree,CryptReleaseContext, 8_2_0000000140006FB0
Source: C:\Windows\System32\svchost.exe Code function: 8_2_0000000140007340 memcpy,HeapFree,CryptReleaseContext, 8_2_0000000140007340

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\55ryoipjfdr.exe Unpacked PE file: 0.2.55ryoipjfdr.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Unpacked PE file: 3.2.44qxnhoiecq.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Unpacked PE file: 7.2.44qxnhoiecq.exe.400000.0.unpack
Uses 32bit PE files
Source: 55ryoipjfdr.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 194.87.99.210:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: C:\Windows\System32\svchost.exe Code function: 8_2_000000014000D0F0 HeapFree,HeapFree,FindFirstFileW,HeapFree,HeapFree,FindNextFileW,GetLastError, 8_2_000000014000D0F0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2838349 - Severity 1 - ETPRO MALWARE Win32/TrickBot CnC Initial Checkin : 192.168.2.8:49714 -> 194.87.99.210:443
Source: Network traffic Suricata IDS: 2838349 - Severity 1 - ETPRO MALWARE Win32/TrickBot CnC Initial Checkin : 192.168.2.8:49713 -> 194.87.99.210:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 91.83.88.51:449
Source: Malware configuration extractor IPs: 193.19.118.207:443
Source: Malware configuration extractor IPs: 185.15.245.102:443
Source: Malware configuration extractor IPs: 185.15.245.103:443
Source: Malware configuration extractor IPs: 199.48.160.60:443
Source: Malware configuration extractor IPs: 195.133.48.80:443
Source: Malware configuration extractor IPs: 147.135.196.128:443
Source: Malware configuration extractor IPs: 194.87.95.120:443
Source: Malware configuration extractor IPs: 194.87.99.62:443
Source: Malware configuration extractor IPs: 194.87.239.114:443
Source: Malware configuration extractor IPs: 94.242.224.218:443
Source: Malware configuration extractor IPs: 195.133.147.135:443
Source: Malware configuration extractor IPs: 185.158.113.62:443
Source: Malware configuration extractor IPs: 194.87.146.180:443
Source: Malware configuration extractor IPs: 194.87.99.220:443
Source: Malware configuration extractor IPs: 194.87.95.122:443
Source: Malware configuration extractor IPs: 194.87.111.6:443
Source: Malware configuration extractor IPs: 195.133.197.187:443
Source: Malware configuration extractor IPs: 194.87.99.210:443
Source: Malware configuration extractor IPs: 169.239.129.42:443
Source: Malware configuration extractor IPs: 178.156.202.97:443
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View IP Address: 104.26.12.205 104.26.12.205
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SERVIHOSTING-ASAireNetworksES SERVIHOSTING-ASAireNetworksES
Source: Joe Sandbox View ASN Name: MTW-ASRU MTW-ASRU
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/ HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36Host: 194.87.99.210
Source: global traffic HTTP traffic detected: GET /mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/ HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36Host: 194.87.99.210
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36Host: api.ipify.org
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.95.122
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.95.122
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.95.122
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/ HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36Host: 194.87.99.210
Source: global traffic HTTP traffic detected: GET /mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/ HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36Host: 194.87.99.210
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36Host: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Thu, 16 Jan 2025 08:10:55 GMTContent-Type: text/htmlContent-Length: 564Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Thu, 16 Jan 2025 08:10:56 GMTContent-Type: text/htmlContent-Length: 564Connection: close
Source: svchost.exe, 00000008.00000002.2670888110.00000159F2AFA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://194.87.95.122/
Source: svchost.exe, 00000008.00000002.2670748747.00000159F2A84000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2671363412.00000159F3716000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://194.87.95.122/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/
Source: svchost.exe, 00000008.00000002.2670835827.00000159F2AB9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://194.87.95.122/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/H
Source: svchost.exe, 00000008.00000002.2671346385.00000159F3706000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://194.87.95.122:443/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/
Source: svchost.exe, 00000008.00000002.2670888110.00000159F2AEA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2670888110.00000159F2AFA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://194.87.99.210/
Source: svchost.exe, 00000008.00000002.2670748747.00000159F2A84000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2670682517.00000159F2A71000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2671363412.00000159F3716000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://194.87.99.210/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/
Source: svchost.exe, 00000008.00000002.2670682517.00000159F2A71000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://194.87.99.210/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/u
Source: svchost.exe, 00000008.00000002.2671346385.00000159F3706000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://194.87.99.210:443/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/
Source: svchost.exe, 00000008.00000002.2670621225.00000159F2A57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://194.87.99.210:443/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/pD
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown HTTPS traffic detected: 194.87.99.210:443 -> 192.168.2.8:49713 version: TLS 1.2

E-Banking Fraud
barindex
Detected Trickbot e-Banking trojan config
Source: svchost.exe, 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <mcconf><ver>1000047</ver><gtag>mac1</gtag><servs><srv>91.83.88.51:449</srv><srv>193.19.118.207:443</srv><srv>185.15.245.102:443</srv><srv>185.15.245.103:443</srv><srv>199.48.160.60:443</srv><srv>195.133.48.80:443</srv><srv>147.135.196.128:443</srv><srv>194.87.95.120:443</srv><srv>194.87.99.62:443</srv><srv>194.87.239.114:443</srv><srv>94.242.224.218:443</srv><srv>195.133.147.135:443</srv><srv>185.158.113.62:443</srv><srv>194.87.146.180:443</srv><srv>194.87.99.220:443</srv><srv>194.87.95.122:443</srv><srv>194.87.111.6:443</srv><srv>195.133.197.187:443</srv><srv>194.87.99.210:443</srv><srv>169.239.129.42:443</srv><srv>178.156.202.97:443</srv></servs><autorun><module name="systeminfo" ctl="GetSystemInfo"/><module name="testnewinj3Dll"/></autorun></mcconf>pe>InteractiveToken</LogonType>
Source: svchost.exe, 00000008.00000002.2671214706.00000159F3602000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <mcconf><ver>1000047</ver><gtag>mac1</gtag><servs><srv>91.83.88.51:449</srv><srv>193.19.118.207:443</srv><srv>185.15.245.102:443</srv><srv>185.15.245.103:443</srv><srv>199.48.160.60:443</srv><srv>195.133.48.80:443</srv><srv>147.135.196.128:443</srv><srv>194.87.95.120:443</srv><srv>194.87.99.62:443</srv><srv>194.87.239.114:443</srv><srv>94.242.224.218:443</srv><srv>195.133.147.135:443</srv><srv>185.158.113.62:443</srv><srv>194.87.146.180:443</srv><srv>194.87.99.220:443</srv><srv>194.87.95.122:443</srv><srv>194.87.111.6:443</srv><srv>195.133.197.187:443</srv><srv>194.87.99.210:443</srv><srv>169.239.129.42:443</srv><srv>178.156.202.97:443</srv></servs><autorun><module name="systeminfo" ctl="GetSystemInfo"/><module name="testnewinj3Dll"/></autorun></mcconf>
Yara detected Trickbot
Source: Yara match File source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: svchost.exe PID: 5496, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 6.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Trickbot_01365e46 Author: unknown
Source: 8.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Trickbot_01365e46 Author: unknown
Source: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Trickbot_01365e46 Author: unknown
Source: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Trickbot_01365e46 Author: unknown
Source: 00000008.00000002.2671214706.00000159F3602000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect TrickBot in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect TrickBot in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2121898954.000000000057E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Trickbot_01365e46 Author: unknown
Source: 00000007.00000002.2462776816.0000000000768000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Trickbot_01365e46 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\55ryoipjfdr.exe Code function: 0_2_00401A00 GetCurrentProcess,LoadLibraryA,GetProcAddress,NtQueryInformationProcess, 0_2_00401A00
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 3_3_10001A20 EntryPoint,NtClose,NtClose, 3_3_10001A20
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 3_3_10001920 NtAllocateVirtualMemory,NtWriteVirtualMemory,NtFreeVirtualMemory, 3_3_10001920
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 3_3_10003220 NtReadVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtClearEvent,NtSignalAndWaitForSingleObject,NtReadVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory, 3_3_10003220
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 3_3_10001830 NtAllocateVirtualMemory, 3_3_10001830
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 3_3_10002CB0 MultiByteToWideChar,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,LdrLoadDll,NtReadVirtualMemory,NtFreeVirtualMemory, 3_3_10002CB0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 3_3_100018C0 NtProtectVirtualMemory, 3_3_100018C0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 3_3_100017D0 NtWriteVirtualMemory, 3_3_100017D0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 3_3_10001AE0 NtCreateEvent,NtCreateEvent,NtDuplicateObject,NtDuplicateObject,NtSignalAndWaitForSingleObject,NtClose,NtClearEvent,NtWriteVirtualMemory,NtClearEvent,NtClearEvent,NtResumeThread,NtSignalAndWaitForSingleObject,NtClose,NtClose,NtDuplicateObject,NtDuplicateObject,NtFreeVirtualMemory,NtFreeVirtualMemory, 3_3_10001AE0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 3_3_10002F60 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,LdrGetProcedureAddress,NtReadVirtualMemory,NtFreeVirtualMemory, 3_3_10002F60
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 3_3_100015F0 NtQueryInformationProcess,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory, 3_3_100015F0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 3_3_10003470 NtReadVirtualMemory,NtWriteVirtualMemory,NtClearEvent,NtSignalAndWaitForSingleObject,NtReadVirtualMemory, 3_3_10003470
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 3_3_10001FF0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtQueryInformationProcess,NtWriteVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtFreeVirtualMemory, 3_3_10001FF0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 3_3_10001880 NtFreeVirtualMemory, 3_3_10001880
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 3_3_10001E70 NtReadVirtualMemory,NtWriteVirtualMemory,NtSignalAndWaitForSingleObject,NtReadVirtualMemory,NtSignalAndWaitForSingleObject,NtClose,NtClose, 3_3_10001E70
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 7_3_10001A20 EntryPoint,NtClose,NtClose, 7_3_10001A20
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 7_3_10001920 NtAllocateVirtualMemory,NtWriteVirtualMemory,NtFreeVirtualMemory, 7_3_10001920
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 7_3_10003220 NtReadVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtClearEvent,NtSignalAndWaitForSingleObject,NtReadVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory, 7_3_10003220
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 7_3_10001830 NtAllocateVirtualMemory, 7_3_10001830
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 7_3_10002CB0 MultiByteToWideChar,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,LdrLoadDll,NtReadVirtualMemory,NtFreeVirtualMemory, 7_3_10002CB0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 7_3_100018C0 NtProtectVirtualMemory, 7_3_100018C0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 7_3_100017D0 NtWriteVirtualMemory, 7_3_100017D0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 7_3_10001AE0 NtCreateEvent,NtCreateEvent,NtDuplicateObject,NtDuplicateObject,NtSignalAndWaitForSingleObject,NtClose,NtClearEvent,NtWriteVirtualMemory,NtClearEvent,NtClearEvent,NtResumeThread,NtSignalAndWaitForSingleObject,NtClose,NtClose,NtDuplicateObject,NtDuplicateObject,NtFreeVirtualMemory,NtFreeVirtualMemory, 7_3_10001AE0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 7_3_10002F60 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,LdrGetProcedureAddress,NtReadVirtualMemory,NtFreeVirtualMemory, 7_3_10002F60
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 7_3_100015F0 NtQueryInformationProcess,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory, 7_3_100015F0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 7_3_10003470 NtReadVirtualMemory,NtWriteVirtualMemory,NtClearEvent,NtSignalAndWaitForSingleObject,NtReadVirtualMemory, 7_3_10003470
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 7_3_10001FF0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtQueryInformationProcess,NtWriteVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtFreeVirtualMemory, 7_3_10001FF0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 7_3_10001880 NtFreeVirtualMemory, 7_3_10001880
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 7_3_10001E70 NtReadVirtualMemory,NtWriteVirtualMemory,NtSignalAndWaitForSingleObject,NtReadVirtualMemory,NtSignalAndWaitForSingleObject,NtClose,NtClose, 7_3_10001E70
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 3_3_10001AE0 3_3_10001AE0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 3_3_10001FF0 3_3_10001FF0
Source: C:\Windows\System32\svchost.exe Code function: 6_2_0000000140002900 6_2_0000000140002900
Source: C:\Windows\System32\svchost.exe Code function: 6_2_0000000140012820 6_2_0000000140012820
Source: C:\Windows\System32\svchost.exe Code function: 6_2_0000000140003860 6_2_0000000140003860
Source: C:\Windows\System32\svchost.exe Code function: 6_2_0000000140014080 6_2_0000000140014080
Source: C:\Windows\System32\svchost.exe Code function: 6_2_000000014000E0C0 6_2_000000014000E0C0
Source: C:\Windows\System32\svchost.exe Code function: 6_2_0000000140013CD0 6_2_0000000140013CD0
Source: C:\Windows\System32\svchost.exe Code function: 6_2_000000014000F8D0 6_2_000000014000F8D0
Source: C:\Windows\System32\svchost.exe Code function: 6_2_000000014000E6D0 6_2_000000014000E6D0
Source: C:\Windows\System32\svchost.exe Code function: 6_2_000000014000F310 6_2_000000014000F310
Source: C:\Windows\System32\svchost.exe Code function: 6_2_0000000140015340 6_2_0000000140015340
Source: C:\Windows\System32\svchost.exe Code function: 6_2_00000001400179C0 6_2_00000001400179C0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 7_3_10001AE0 7_3_10001AE0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 7_3_10001FF0 7_3_10001FF0
Source: C:\Windows\System32\svchost.exe Code function: 8_2_0000000140002900 8_2_0000000140002900
Source: C:\Windows\System32\svchost.exe Code function: 8_2_0000000140012820 8_2_0000000140012820
Source: C:\Windows\System32\svchost.exe Code function: 8_2_0000000140003860 8_2_0000000140003860
Source: C:\Windows\System32\svchost.exe Code function: 8_2_0000000140014080 8_2_0000000140014080
Source: C:\Windows\System32\svchost.exe Code function: 8_2_000000014000E0C0 8_2_000000014000E0C0
Source: C:\Windows\System32\svchost.exe Code function: 8_2_0000000140013CD0 8_2_0000000140013CD0
Source: C:\Windows\System32\svchost.exe Code function: 8_2_000000014000F8D0 8_2_000000014000F8D0
Source: C:\Windows\System32\svchost.exe Code function: 8_2_000000014000E6D0 8_2_000000014000E6D0
Source: C:\Windows\System32\svchost.exe Code function: 8_2_000000014000F310 8_2_000000014000F310
Source: C:\Windows\System32\svchost.exe Code function: 8_2_0000000140015340 8_2_0000000140015340
Source: C:\Windows\System32\svchost.exe Code function: 8_2_00000001400179C0 8_2_00000001400179C0
Uses 32bit PE files
Source: 55ryoipjfdr.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 6.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Trickbot_01365e46 reference_sample = 5c450d4be39caef1d9ec943f5dfeb6517047175fec166a52970c08cd1558e172, os = windows, severity = x86, creation_date = 2021-03-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Trickbot, fingerprint = 98505c3418945c10bf4f50a183aa49bdbc7c1c306e98132ae3d0fc36e216f191, id = 01365e46-c769-4c6e-913a-4d1e42948af2, last_modified = 2021-08-23
Source: 8.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Trickbot_01365e46 reference_sample = 5c450d4be39caef1d9ec943f5dfeb6517047175fec166a52970c08cd1558e172, os = windows, severity = x86, creation_date = 2021-03-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Trickbot, fingerprint = 98505c3418945c10bf4f50a183aa49bdbc7c1c306e98132ae3d0fc36e216f191, id = 01365e46-c769-4c6e-913a-4d1e42948af2, last_modified = 2021-08-23
Source: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Trickbot_01365e46 reference_sample = 5c450d4be39caef1d9ec943f5dfeb6517047175fec166a52970c08cd1558e172, os = windows, severity = x86, creation_date = 2021-03-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Trickbot, fingerprint = 98505c3418945c10bf4f50a183aa49bdbc7c1c306e98132ae3d0fc36e216f191, id = 01365e46-c769-4c6e-913a-4d1e42948af2, last_modified = 2021-08-23
Source: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Trickbot_01365e46 reference_sample = 5c450d4be39caef1d9ec943f5dfeb6517047175fec166a52970c08cd1558e172, os = windows, severity = x86, creation_date = 2021-03-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Trickbot, fingerprint = 98505c3418945c10bf4f50a183aa49bdbc7c1c306e98132ae3d0fc36e216f191, id = 01365e46-c769-4c6e-913a-4d1e42948af2, last_modified = 2021-08-23
Source: 00000008.00000002.2671214706.00000159F3602000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Trickbot hash1 = 2153be5c6f73f4816d90809febf4122a7b065cbfddaa4e2bf5935277341af34c, author = JPCERT/CC Incident Response Group, description = detect TrickBot in memory, rule_usage = memory scan
Source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Trickbot hash1 = 2153be5c6f73f4816d90809febf4122a7b065cbfddaa4e2bf5935277341af34c, author = JPCERT/CC Incident Response Group, description = detect TrickBot in memory, rule_usage = memory scan
Source: 00000003.00000002.2121898954.000000000057E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Trickbot_01365e46 reference_sample = 5c450d4be39caef1d9ec943f5dfeb6517047175fec166a52970c08cd1558e172, os = windows, severity = x86, creation_date = 2021-03-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Trickbot, fingerprint = 98505c3418945c10bf4f50a183aa49bdbc7c1c306e98132ae3d0fc36e216f191, id = 01365e46-c769-4c6e-913a-4d1e42948af2, last_modified = 2021-08-23
Source: 00000007.00000002.2462776816.0000000000768000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Trickbot_01365e46 reference_sample = 5c450d4be39caef1d9ec943f5dfeb6517047175fec166a52970c08cd1558e172, os = windows, severity = x86, creation_date = 2021-03-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Trickbot, fingerprint = 98505c3418945c10bf4f50a183aa49bdbc7c1c306e98132ae3d0fc36e216f191, id = 01365e46-c769-4c6e-913a-4d1e42948af2, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.bank.troj.evad.winEXE@8/4@1/22
Source: C:\Windows\System32\svchost.exe Code function: 6_2_0000000140002900 SetCurrentDirectoryW,GetTickCount,srand,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,??2@YAPEAX_K@Z,HeapFree,HeapFree,_time64,_time64,Sleep,??2@YAPEAX_K@Z,HeapFree,_time64,??3@YAXPEAX@Z,HeapFree,Sleep,_time64,HeapFree,_time64,_wtoi,_wtoi,HeapFree,HeapFree,HeapFree,FreeLibrary,CoUninitialize, 6_2_0000000140002900
Source: C:\Users\user\Desktop\55ryoipjfdr.exe Code function: 0_2_0040197E FindResourceW,LoadResource,LockResource,SizeofResource, 0_2_0040197E
Source: C:\Users\user\Desktop\55ryoipjfdr.exe File created: C:\Users\user\AppData\Roaming\winapp Jump to behavior
Source: C:\Windows\System32\svchost.exe Mutant created: \BaseNamedObjects\Global\VLock
Source: C:\Windows\System32\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\VLock
Source: 55ryoipjfdr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\55ryoipjfdr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 55ryoipjfdr.exe Virustotal: Detection: 90%
Source: 55ryoipjfdr.exe ReversingLabs: Detection: 94%
Source: C:\Users\user\Desktop\55ryoipjfdr.exe File read: C:\Users\user\Desktop\55ryoipjfdr.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\55ryoipjfdr.exe "C:\Users\user\Desktop\55ryoipjfdr.exe"
Source: C:\Users\user\Desktop\55ryoipjfdr.exe Process created: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Process created: C:\Windows\System32\svchost.exe svchost.exe -k netsvcs
Source: unknown Process created: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Process created: C:\Windows\System32\svchost.exe svchost.exe -k netsvcs
Source: C:\Users\user\Desktop\55ryoipjfdr.exe Process created: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Process created: C:\Windows\System32\svchost.exe svchost.exe -k netsvcs Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Process created: C:\Windows\System32\svchost.exe svchost.exe -k netsvcs Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe Section loaded: authz.dll Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe Section loaded: gqrotepg.dll Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe Section loaded: remotepg.dll Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe Section loaded: regapi.dll Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Section loaded: authz.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Section loaded: gqrotepg.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Section loaded: remotepg.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Section loaded: regapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Section loaded: authz.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Section loaded: gqrotepg.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Section loaded: remotepg.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Section loaded: regapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptprov.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll Jump to behavior
Source: 55ryoipjfdr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\55ryoipjfdr.exe Unpacked PE file: 0.2.55ryoipjfdr.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Unpacked PE file: 3.2.44qxnhoiecq.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Unpacked PE file: 7.2.44qxnhoiecq.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\55ryoipjfdr.exe Unpacked PE file: 0.2.55ryoipjfdr.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Unpacked PE file: 3.2.44qxnhoiecq.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Unpacked PE file: 7.2.44qxnhoiecq.exe.400000.0.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\55ryoipjfdr.exe Code function: 0_2_00401A00 GetCurrentProcess,LoadLibraryA,GetProcAddress,NtQueryInformationProcess, 0_2_00401A00

Persistence and Installation Behavior
barindex
Yara detected PersistenceViaHiddenTask
Source: Yara match File source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2121935863.000001DD0F013000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: svchost.exe PID: 1984, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 5496, type: MEMORYSTR
Drops PE files
Source: C:\Users\user\Desktop\55ryoipjfdr.exe File created: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Jump to dropped file

Boot Survival
barindex
Yara detected PersistenceViaHiddenTask
Source: Yara match File source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2121935863.000001DD0F013000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: svchost.exe PID: 1984, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 5496, type: MEMORYSTR
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\System32\svchost.exe Code function: 6_2_000000014000C3F0 LoadLibraryExW,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 6_2_000000014000C3F0

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe API/Special instruction interceptor: Address: 7FFBCB7AD304
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe API/Special instruction interceptor: Address: 7FFBCB7AD6E4
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe API/Special instruction interceptor: Address: 7FFBCB7AD504
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe API/Special instruction interceptor: Address: 7FFBCB7ADA04
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe API/Special instruction interceptor: Address: 7FFBCB7AD244
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe API/Special instruction interceptor: Address: 7FFBCB7AD2E4
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe API/Special instruction interceptor: Address: 7FFBCB7AD6C4
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe API/Special instruction interceptor: Address: 7FFBCB7AD424
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe API/Special instruction interceptor: Address: 7FFBCB7AE654
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe API/Special instruction interceptor: Address: 7FFBCB7AD784
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe API/Special instruction interceptor: Address: 7FFBCB7AD744
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe API/Special instruction interceptor: Address: 7FFBCB7AD7E4
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe API/Special instruction interceptor: Address: 7FFBCB7ADA44
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe API/Special instruction interceptor: Address: 7FFBCB7AD3C4
Contains functionality to query network adapater information
Source: C:\Windows\System32\svchost.exe Code function: HeapFree,GetAdaptersInfo,HeapFree,HeapFree, 8_2_000000014000A230
Found evasive API chain checking for process token information
Source: C:\Windows\System32\svchost.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\System32\svchost.exe API coverage: 4.8 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Code function: 8_2_000000014000D0F0 HeapFree,HeapFree,FindFirstFileW,HeapFree,HeapFree,FindNextFileW,GetLastError, 8_2_000000014000D0F0
Source: C:\Windows\System32\svchost.exe Code function: 6_2_000000014000C0C0 GetProcAddress,GetSystemInfo, 6_2_000000014000C0C0
Source: svchost.exe, 00000008.00000002.2670748747.00000159F2A84000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124@%SystemRoot%\System32\ci.dll,-100Hyper-V RAWDDDD
Source: svchost.exe, 00000008.00000002.2670682517.00000159F2A77000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000008.00000002.2670494241.00000159F2A2F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@f
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 3_3_10001020 LdrLoadDll,LdrLoadDll, 3_3_10001020
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\55ryoipjfdr.exe Code function: 0_2_00401A00 GetCurrentProcess,LoadLibraryA,GetProcAddress,NtQueryInformationProcess, 0_2_00401A00
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\55ryoipjfdr.exe Code function: 0_2_0040116E mov eax, dword ptr fs:[00000030h] 0_2_0040116E
Source: C:\Users\user\Desktop\55ryoipjfdr.exe Code function: 0_2_004C007E push dword ptr fs:[00000030h] 0_2_004C007E
Source: C:\Users\user\Desktop\55ryoipjfdr.exe Code function: 0_2_004C03BB push dword ptr fs:[00000030h] 0_2_004C03BB
Source: C:\Users\user\Desktop\55ryoipjfdr.exe Code function: 0_2_004D007E push dword ptr fs:[00000030h] 0_2_004D007E
Source: C:\Users\user\Desktop\55ryoipjfdr.exe Code function: 0_2_004D03BB push dword ptr fs:[00000030h] 0_2_004D03BB
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 3_2_007B03BB push dword ptr fs:[00000030h] 3_2_007B03BB
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 3_2_007B007E push dword ptr fs:[00000030h] 3_2_007B007E
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 3_2_007C007E push dword ptr fs:[00000030h] 3_2_007C007E
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 3_2_007C03BB push dword ptr fs:[00000030h] 3_2_007C03BB
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 7_2_006B03BB push dword ptr fs:[00000030h] 7_2_006B03BB
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 7_2_006B007E push dword ptr fs:[00000030h] 7_2_006B007E
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 7_2_006C007E push dword ptr fs:[00000030h] 7_2_006C007E
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Code function: 7_2_006C03BB push dword ptr fs:[00000030h] 7_2_006C03BB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\55ryoipjfdr.exe Code function: 0_2_00402200 GetProcessHeap,RtlFreeHeap, 0_2_00402200
Source: C:\Windows\System32\svchost.exe Code function: 6_2_0000000140018520 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_0000000140018520
Source: C:\Windows\System32\svchost.exe Code function: 6_2_0000000140018168 SetUnhandledExceptionFilter, 6_2_0000000140018168
Source: C:\Windows\System32\svchost.exe Code function: 8_2_0000000140018168 SetUnhandledExceptionFilter, 8_2_0000000140018168
Source: C:\Windows\System32\svchost.exe Code function: 8_2_0000000140018520 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_0000000140018520

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EE20000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EE30000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 140000000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 140000000 protect: page read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 140001000 protect: page read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 140019000 protect: page read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 140020000 protect: page read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 140021000 protect: page read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 140023000 protect: page read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF50000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF50000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F28A0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F28B0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 140000000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 140000000 protect: page read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 140001000 protect: page read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 140019000 protect: page read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 140020000 protect: page read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 140021000 protect: page read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 140023000 protect: page read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29D0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory allocated: C:\Windows\System32\svchost.exe base: 159F29D0000 protect: page execute and read and write Jump to behavior
Hijacks the control flow in another process
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: PID: 1984 base: 140020000 value: FF Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: PID: 5496 base: 140020000 value: FF Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140000000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140000000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EE20000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EE30000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 7FF67E6D5080 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140000000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140001000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140001000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140020000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140020000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140021000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140021000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140023000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140023000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140024000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140024000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EE30000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EE30000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019180 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019188 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019190 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019198 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400191A0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400191A8 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400191B0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400191B8 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400191C0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400191C8 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400191D0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400191D8 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400191E0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400191E8 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400191F0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400191F8 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019200 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019208 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019210 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019218 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019220 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019228 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019230 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019238 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019240 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019248 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019250 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019258 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019260 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019268 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019270 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019278 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019018 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019020 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019028 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019030 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019038 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019040 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019048 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019050 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019058 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019060 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019068 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019070 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019078 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019080 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019088 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019090 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019098 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400190A0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400190A8 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019288 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019290 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400190B8 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400190C0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400190C8 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400190D0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400190D8 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400190E8 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400190F0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400190F8 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019100 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019108 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019110 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019118 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019120 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019128 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019130 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019138 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019140 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019150 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019158 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019160 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019168 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019170 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: B25F9B4010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0F003F30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0F003F48 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1DD0EE30000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F28A0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F28B0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 7FF67E6D5080 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140000000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140001000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140001000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140020000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140020000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140021000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140021000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140023000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140023000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140024000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140024000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F28B0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F28B0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019180 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019188 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019190 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019198 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400191A0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400191A8 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400191B0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400191B8 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400191C0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400191C8 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400191D0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400191D8 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400191E0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400191E8 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400191F0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400191F8 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019200 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019208 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019210 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019218 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019220 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019228 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019230 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019238 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019240 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019248 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019250 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019258 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019260 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019268 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019270 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019278 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019018 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019020 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019028 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019030 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019038 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019040 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019048 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019050 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019058 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019060 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019068 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019070 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019078 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019080 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019088 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019090 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019098 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400190A0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400190A8 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019288 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019290 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400190B8 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400190C0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400190C8 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400190D0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400190D8 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400190E8 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400190F0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 1400190F8 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019100 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019108 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019110 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019118 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019120 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019128 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019130 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019138 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Memory written: C:\Windows\System32\svchost.exe base: 140019140 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Process created: C:\Windows\System32\svchost.exe svchost.exe -k netsvcs Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe Process created: C:\Windows\System32\svchost.exe svchost.exe -k netsvcs Jump to behavior
Source: C:\Windows\System32\svchost.exe Code function: 6_2_00000001400182FC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 6_2_00000001400182FC

Stealing of Sensitive Information
barindex
Yara detected Trickbot
Source: Yara match File source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: svchost.exe PID: 5496, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Trickbot
Source: Yara match File source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: svchost.exe PID: 5496, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1592535 Sample: 55ryoipjfdr.exe Startdate: 16/01/2025 Architecture: WINDOWS Score: 100 32 169.239.129.42 ZAPPIE-HOST-ASZappieHostGB Seychelles 2->32 34 178.156.202.97 SERVIHOSTING-ASAireNetworksES Romania 2->34 36 18 other IPs or domains 2->36 38 Suricata IDS alerts for network traffic 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 7 other signatures 2->44 8 55ryoipjfdr.exe 3 2->8         started        12 44qxnhoiecq.exe 2->12         started        signatures3 process4 file5 22 C:\Users\user\AppData\...\44qxnhoiecq.exe, PE32 8->22 dropped 24 C:\Users\...\44qxnhoiecq.exe:Zone.Identifier, ASCII 8->24 dropped 46 Detected unpacking (changes PE section rights) 8->46 48 Detected unpacking (overwrites its own PE header) 8->48 14 44qxnhoiecq.exe 8->14         started        50 Hijacks the control flow in another process 12->50 52 Writes to foreign memory regions 12->52 54 Allocates memory in foreign processes 12->54 56 Injects a PE file into a foreign processes 12->56 17 svchost.exe 3 12->17         started        signatures6 process7 dnsIp8 58 Antivirus detection for dropped file 14->58 60 Multi AV Scanner detection for dropped file 14->60 62 Detected unpacking (changes PE section rights) 14->62 66 7 other signatures 14->66 20 svchost.exe 14->20         started        26 194.87.95.122, 443, 49715 MTW-ASRU Russian Federation 17->26 28 194.87.99.210, 443, 49713, 49714 MTW-ASRU Russian Federation 17->28 30 api.ipify.org 104.26.12.205, 49712, 80 CLOUDFLARENETUS United States 17->30 64 Detected Trickbot e-Banking trojan config 17->64 signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.26.12.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false
178.156.202.97
 unknown Romania
29119 SERVIHOSTING-ASAireNetworksES true
194.87.99.62
 unknown Russian Federation
48347 MTW-ASRU true
194.87.146.180
 unknown Russian Federation
48347 MTW-ASRU true
194.87.111.6
 unknown Russian Federation
48347 MTW-ASRU true
194.87.95.122
 unknown Russian Federation
48347 MTW-ASRU true
147.135.196.128
 unknown France
16276 OVHFR true
195.133.147.135
 unknown Russian Federation
48347 MTW-ASRU true
195.133.197.187
 unknown Russian Federation
48347 MTW-ASRU true
194.87.99.210
 unknown Russian Federation
48347 MTW-ASRU true
185.15.245.102
 unknown Germany
24961 MYLOC-ASIPBackboneofmyLocmanagedITAGDE true
185.15.245.103
 unknown Germany
24961 MYLOC-ASIPBackboneofmyLocmanagedITAGDE true
194.87.95.120
 unknown Russian Federation
48347 MTW-ASRU true
185.158.113.62
 unknown Russian Federation
44812 IPSERVER-RU-NETFiordRU true
194.87.239.114
 unknown Russian Federation
48347 MTW-ASRU true
195.133.48.80
 unknown Russian Federation
48347 MTW-ASRU true
194.87.99.220
 unknown Russian Federation
48347 MTW-ASRU true
169.239.129.42
 unknown Seychelles
61138 ZAPPIE-HOST-ASZappieHostGB true
193.19.118.207
 unknown Russian Federation
44812 IPSERVER-RU-NETFiordRU true
91.83.88.51
 unknown Hungary
12301 INVITECHHU true
199.48.160.60
 unknown United States
19531 NODESDIRECTUS true
94.242.224.218
 unknown Luxembourg
5577 ROOTLU true

Contacted Domains

Name IP Active
api.ipify.org 104.26.12.205 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://194.87.99.210/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/ true
  • Avira URL Cloud: safe
 unknown