Edit tour

Windows Analysis Report
55ryoipjfdr.exe

Overview

General Information

Sample name:	55ryoipjfdr.exe
Analysis ID:	1592535
MD5:	f0b9f50c6a247ac5ca9cc95135b83dcf
SHA1:	c1b276883da10fa2bf1c37a3851781e5c702a601
SHA256:	068af8016c36fce5cf1e1a4722c1dc0d6e02cb6ed58b61c2ba99a54d294cc274
Tags:	exemalwareRansomwareuser-Joker
Infos:

Detection

Trickbot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Trickbot e-Banking trojan config

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Trickbot

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Hijacks the control flow in another process

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Yara detected PersistenceViaHiddenTask

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Yara signature match

Classification

Process Tree

System is w10x64

55ryoipjfdr.exe (PID: 7708 cmdline: "C:\Users\user\Desktop\55ryoipjfdr.exe" MD5: F0B9F50C6A247AC5CA9CC95135B83DCF)

44qxnhoiecq.exe (PID: 8020 cmdline: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe MD5: F0B9F50C6A247AC5CA9CC95135B83DCF)

svchost.exe (PID: 1984 cmdline: svchost.exe -k netsvcs MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

44qxnhoiecq.exe (PID: 7308 cmdline: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe MD5: F0B9F50C6A247AC5CA9CC95135B83DCF)

svchost.exe (PID: 5496 cmdline: svchost.exe -k netsvcs MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
TrickBot	A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.- Q4 2016 - Detected in wildOct 2016 - 1st Report2017 - Trickbot primarily uses Necurs as vehicle for installs.Jan 2018 - Use XMRIG (Monero) minerFeb 2018 - Theft BitcoinMar 2018 - Unfinished ransomware moduleQ3/4 2018 - Trickbot starts being spread through Emotet.Infection Vector1. Phish > Link MS Office > Macro Enabled > Downloader > Trickbot2. Phish > Attached MS Office > Macro Enabled > Downloader > Trickbot3. Phish > Attached MS Office > Macro enabled > Trickbot installed	TA505 UNC1878 WIZARD SPIDER	http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot http://www.malware-traffic-analysis.net/2018/02/01/ http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html http://www.secureworks.com/research/threat-profiles/gold-blackburn	https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot

Malware Configuration

Threatname: Trickbot

{"ver": "1000047", "gtag": "mac1", "servs": ["91.83.88.51:449", "193.19.118.207:443", "185.15.245.102:443", "185.15.245.103:443", "199.48.160.60:443", "195.133.48.80:443", "147.135.196.128:443", "194.87.95.120:443", "194.87.99.62:443", "194.87.239.114:443", "94.242.224.218:443", "195.133.147.135:443", "185.158.113.62:443", "194.87.146.180:443", "194.87.99.220:443", "194.87.95.122:443", "194.87.111.6:443", "195.133.197.187:443", "194.87.99.210:443", "169.239.129.42:443", "178.156.202.97:443"], "ecc_key": "RUNTMzAAAADzIIbbIE3wcze1+xiwwK+Au/P78UrAO8YAHyPvHEwGVKOPphl8QVfrC7x/QaFYeXANw6E4HF7ietEp+7ZVQdWOx8c+HvO0Z2PTUPVbX9HAVrg4h9u1RNfhOHk+YysDLsg="}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp	Windows_Trojan_Trickbot_01365e46	unknown	unknown	0x69d8:$a: 8B 43 28 4C 8B 53 18 4C 8B 5B 10 4C 8B 03 4C 8B 4B 08 89 44 24 38 48 89 4C 24 30 4C
00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp	Windows_Trojan_Trickbot_01365e46	unknown	unknown	0x69d8:$a: 8B 43 28 4C 8B 53 18 4C 8B 5B 10 4C 8B 03 4C 8B 4B 08 89 44 24 38 48 89 4C 24 30 4C
00000008.00000002.2671214706.00000159F3602000.00000004.00000020.00020000.00000000.sdmp	Trickbot	detect TrickBot in memory	JPCERT/CC Incident Response Group	0xaed2:$tagm1: <mcconf><ver> 0x9480:$tagm2: </autorun></mcconf> 0xb4a2:$tagm2: </autorun></mcconf>
00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PersistenceViaHiddenTask	Yara detected PersistenceViaHiddenTask	Joe Security
00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Trickbot_1	Yara detected Trickbot	Joe Security
00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp	Trickbot	detect TrickBot in memory	JPCERT/CC Incident Response Group	0x18098:$tagm1: <mcconf><ver> 0x18668:$tagm2: </autorun></mcconf>
00000006.00000002.2121935863.000001DD0F013000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PersistenceViaHiddenTask	Yara detected PersistenceViaHiddenTask	Joe Security
00000003.00000002.2121898954.000000000057E000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Trickbot_01365e46	unknown	unknown	0x1d6d0:$a: 8B 43 28 4C 8B 53 18 4C 8B 5B 10 4C 8B 03 4C 8B 4B 08 89 44 24 38 48 89 4C 24 30 4C
00000007.00000002.2462776816.0000000000768000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Trickbot_01365e46	unknown	unknown	0x17d80:$a: 8B 43 28 4C 8B 53 18 4C 8B 5B 10 4C 8B 03 4C 8B 4B 08 89 44 24 38 48 89 4C 24 30 4C
Process Memory Space: svchost.exe PID: 1984	JoeSecurity_PersistenceViaHiddenTask	Yara detected PersistenceViaHiddenTask	Joe Security
Process Memory Space: svchost.exe PID: 5496	JoeSecurity_PersistenceViaHiddenTask	Yara detected PersistenceViaHiddenTask	Joe Security
Process Memory Space: svchost.exe PID: 5496	JoeSecurity_Trickbot_1	Yara detected Trickbot	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.svchost.exe.140000000.0.unpack	Windows_Trojan_Trickbot_01365e46	unknown	unknown	0x6dd8:$a: 8B 43 28 4C 8B 53 18 4C 8B 5B 10 4C 8B 03 4C 8B 4B 08 89 44 24 38 48 89 4C 24 30 4C
8.2.svchost.exe.140000000.0.unpack	Windows_Trojan_Trickbot_01365e46	unknown	unknown	0x6dd8:$a: 8B 43 28 4C 8B 53 18 4C 8B 5B 10 4C 8B 03 4C 8B 4B 08 89 44 24 38 48 89 4C 24 30 4C

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: svchost.exe -k netsvcs, CommandLine: svchost.exe -k netsvcs, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe, ParentImage: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe, ParentProcessId: 8020, ParentProcessName: 44qxnhoiecq.exe, ProcessCommandLine: svchost.exe -k netsvcs, ProcessId: 1984, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: svchost.exe -k netsvcs, CommandLine: svchost.exe -k netsvcs, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe, ParentImage: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe, ParentProcessId: 8020, ParentProcessName: 44qxnhoiecq.exe, ProcessCommandLine: svchost.exe -k netsvcs, ProcessId: 1984, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Win32/TrickBot CnC Initial Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-16T09:10:55.439247+0100	2838349	1	Malware Command and Control Activity Detected	192.168.2.8	49713	194.87.99.210	443	TCP
2025-01-16T09:10:56.730422+0100	2838349	1	Malware Command and Control Activity Detected	192.168.2.8	49714	194.87.99.210	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 55ryoipjfdr.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe

Avira: detection malicious, Label: HEUR/AGEN.1315497

Found malware configuration

Source: 6.2.svchost.exe.140000000.0.unpack

Malware Configuration Extractor: Trickbot {"ver": "1000047", "gtag": "mac1", "servs": ["91.83.88.51:449", "193.19.118.207:443", "185.15.245.102:443", "185.15.245.103:443", "199.48.160.60:443", "195.133.48.80:443", "147.135.196.128:443", "194.87.95.120:443", "194.87.99.62:443", "194.87.239.114:443", "94.242.224.218:443", "195.133.147.135:443", "185.158.113.62:443", "194.87.146.180:443", "194.87.99.220:443", "194.87.95.122:443", "194.87.111.6:443", "195.133.197.187:443", "194.87.99.210:443", "169.239.129.42:443", "178.156.202.97:443"], "ecc_key": "RUNTMzAAAADzIIbbIE3wcze1+xiwwK+Au/P78UrAO8YAHyPvHEwGVKOPphl8QVfrC7x/QaFYeXANw6E4HF7ietEp+7ZVQdWOx8c+HvO0Z2PTUPVbX9HAVrg4h9u1RNfhOHk+YysDLsg="}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe

ReversingLabs: Detection: 94%

Multi AV Scanner detection for submitted file

Source: 55ryoipjfdr.exe	Virustotal: Detection: 90%			Perma Link
Source: 55ryoipjfdr.exe	ReversingLabs: Detection: 94%

Yara detected Trickbot

Source: Yara match	File source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5496, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 55ryoipjfdr.exe

Joe Sandbox ML: detected

Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000140007340 memcpy,HeapFree,CryptReleaseContext,	6_2_0000000140007340
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000140006FB0 HeapFree,CryptReleaseContext,	6_2_0000000140006FB0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0000000140006FB0 HeapFree,CryptReleaseContext,	8_2_0000000140006FB0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0000000140007340 memcpy,HeapFree,CryptReleaseContext,	8_2_0000000140007340

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Unpacked PE file: 0.2.55ryoipjfdr.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Unpacked PE file: 3.2.44qxnhoiecq.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Unpacked PE file: 7.2.44qxnhoiecq.exe.400000.0.unpack

Source: 55ryoipjfdr.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 194.87.99.210:443 -> 192.168.2.8:49713 version: TLS 1.2

Source: C:\Windows\System32\svchost.exe

Code function: 8_2_000000014000D0F0 HeapFree,HeapFree,FindFirstFileW,HeapFree,HeapFree,FindNextFileW,GetLastError,

8_2_000000014000D0F0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2838349 - Severity 1 - ETPRO MALWARE Win32/TrickBot CnC Initial Checkin : 192.168.2.8:49714 -> 194.87.99.210:443
Source: Network traffic	Suricata IDS: 2838349 - Severity 1 - ETPRO MALWARE Win32/TrickBot CnC Initial Checkin : 192.168.2.8:49713 -> 194.87.99.210:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 91.83.88.51:449
Source: Malware configuration extractor	IPs: 193.19.118.207:443
Source: Malware configuration extractor	IPs: 185.15.245.102:443
Source: Malware configuration extractor	IPs: 185.15.245.103:443
Source: Malware configuration extractor	IPs: 199.48.160.60:443
Source: Malware configuration extractor	IPs: 195.133.48.80:443
Source: Malware configuration extractor	IPs: 147.135.196.128:443
Source: Malware configuration extractor	IPs: 194.87.95.120:443
Source: Malware configuration extractor	IPs: 194.87.99.62:443
Source: Malware configuration extractor	IPs: 194.87.239.114:443
Source: Malware configuration extractor	IPs: 94.242.224.218:443
Source: Malware configuration extractor	IPs: 195.133.147.135:443
Source: Malware configuration extractor	IPs: 185.158.113.62:443
Source: Malware configuration extractor	IPs: 194.87.146.180:443
Source: Malware configuration extractor	IPs: 194.87.99.220:443
Source: Malware configuration extractor	IPs: 194.87.95.122:443
Source: Malware configuration extractor	IPs: 194.87.111.6:443
Source: Malware configuration extractor	IPs: 195.133.197.187:443
Source: Malware configuration extractor	IPs: 194.87.99.210:443
Source: Malware configuration extractor	IPs: 169.239.129.42:443
Source: Malware configuration extractor	IPs: 178.156.202.97:443

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View	ASN Name: SERVIHOSTING-ASAireNetworksES SERVIHOSTING-ASAireNetworksES
Source: Joe Sandbox View	ASN Name: MTW-ASRU MTW-ASRU

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic	HTTP traffic detected: GET /mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/ HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36Host: 194.87.99.210
Source: global traffic	HTTP traffic detected: GET /mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/ HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36Host: 194.87.99.210
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36Host: api.ipify.org

Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.95.122
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.95.122
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.95.122
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/ HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36Host: 194.87.99.210
Source: global traffic	HTTP traffic detected: GET /mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/ HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36Host: 194.87.99.210
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36Host: api.ipify.org

Source: global traffic

DNS traffic detected: DNS query: api.ipify.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Thu, 16 Jan 2025 08:10:55 GMTContent-Type: text/htmlContent-Length: 564Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Thu, 16 Jan 2025 08:10:56 GMTContent-Type: text/htmlContent-Length: 564Connection: close

Source: svchost.exe, 00000008.00000002.2670888110.00000159F2AFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://194.87.95.122/
Source: svchost.exe, 00000008.00000002.2670748747.00000159F2A84000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2671363412.00000159F3716000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://194.87.95.122/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/
Source: svchost.exe, 00000008.00000002.2670835827.00000159F2AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://194.87.95.122/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/H
Source: svchost.exe, 00000008.00000002.2671346385.00000159F3706000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://194.87.95.122:443/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/
Source: svchost.exe, 00000008.00000002.2670888110.00000159F2AEA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2670888110.00000159F2AFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://194.87.99.210/
Source: svchost.exe, 00000008.00000002.2670748747.00000159F2A84000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2670682517.00000159F2A71000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2671363412.00000159F3716000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://194.87.99.210/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/
Source: svchost.exe, 00000008.00000002.2670682517.00000159F2A71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://194.87.99.210/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/u
Source: svchost.exe, 00000008.00000002.2671346385.00000159F3706000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://194.87.99.210:443/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/
Source: svchost.exe, 00000008.00000002.2670621225.00000159F2A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://194.87.99.210:443/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/pD

Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown

HTTPS traffic detected: 194.87.99.210:443 -> 192.168.2.8:49713 version: TLS 1.2

E-Banking Fraud

Detected Trickbot e-Banking trojan config

Source: svchost.exe, 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <mcconf><ver>1000047</ver><gtag>mac1</gtag><servs><srv>91.83.88.51:449</srv><srv>193.19.118.207:443</srv><srv>185.15.245.102:443</srv><srv>185.15.245.103:443</srv><srv>199.48.160.60:443</srv><srv>195.133.48.80:443</srv><srv>147.135.196.128:443</srv><srv>194.87.95.120:443</srv><srv>194.87.99.62:443</srv><srv>194.87.239.114:443</srv><srv>94.242.224.218:443</srv><srv>195.133.147.135:443</srv><srv>185.158.113.62:443</srv><srv>194.87.146.180:443</srv><srv>194.87.99.220:443</srv><srv>194.87.95.122:443</srv><srv>194.87.111.6:443</srv><srv>195.133.197.187:443</srv><srv>194.87.99.210:443</srv><srv>169.239.129.42:443</srv><srv>178.156.202.97:443</srv></servs><autorun><module name="systeminfo" ctl="GetSystemInfo"/><module name="testnewinj3Dll"/></autorun></mcconf>pe>InteractiveToken</LogonType>
Source: svchost.exe, 00000008.00000002.2671214706.00000159F3602000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <mcconf><ver>1000047</ver><gtag>mac1</gtag><servs><srv>91.83.88.51:449</srv><srv>193.19.118.207:443</srv><srv>185.15.245.102:443</srv><srv>185.15.245.103:443</srv><srv>199.48.160.60:443</srv><srv>195.133.48.80:443</srv><srv>147.135.196.128:443</srv><srv>194.87.95.120:443</srv><srv>194.87.99.62:443</srv><srv>194.87.239.114:443</srv><srv>94.242.224.218:443</srv><srv>195.133.147.135:443</srv><srv>185.158.113.62:443</srv><srv>194.87.146.180:443</srv><srv>194.87.99.220:443</srv><srv>194.87.95.122:443</srv><srv>194.87.111.6:443</srv><srv>195.133.197.187:443</srv><srv>194.87.99.210:443</srv><srv>169.239.129.42:443</srv><srv>178.156.202.97:443</srv></servs><autorun><module name="systeminfo" ctl="GetSystemInfo"/><module name="testnewinj3Dll"/></autorun></mcconf>

Yara detected Trickbot

Source: Yara match	File source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5496, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Trickbot_01365e46 Author: unknown
Source: 8.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Trickbot_01365e46 Author: unknown
Source: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Trickbot_01365e46 Author: unknown
Source: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Trickbot_01365e46 Author: unknown
Source: 00000008.00000002.2671214706.00000159F3602000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect TrickBot in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect TrickBot in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2121898954.000000000057E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Trickbot_01365e46 Author: unknown
Source: 00000007.00000002.2462776816.0000000000768000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Trickbot_01365e46 Author: unknown

Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Code function: 0_2_00401A00 GetCurrentProcess,LoadLibraryA,GetProcAddress,NtQueryInformationProcess,	0_2_00401A00
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_10001A20 EntryPoint,NtClose,NtClose,	3_3_10001A20
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_10001920 NtAllocateVirtualMemory,NtWriteVirtualMemory,NtFreeVirtualMemory,	3_3_10001920
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_10003220 NtReadVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtClearEvent,NtSignalAndWaitForSingleObject,NtReadVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,	3_3_10003220
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_10001830 NtAllocateVirtualMemory,	3_3_10001830
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_10002CB0 MultiByteToWideChar,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,LdrLoadDll,NtReadVirtualMemory,NtFreeVirtualMemory,	3_3_10002CB0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_100018C0 NtProtectVirtualMemory,	3_3_100018C0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_100017D0 NtWriteVirtualMemory,	3_3_100017D0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_10001AE0 NtCreateEvent,NtCreateEvent,NtDuplicateObject,NtDuplicateObject,NtSignalAndWaitForSingleObject,NtClose,NtClearEvent,NtWriteVirtualMemory,NtClearEvent,NtClearEvent,NtResumeThread,NtSignalAndWaitForSingleObject,NtClose,NtClose,NtDuplicateObject,NtDuplicateObject,NtFreeVirtualMemory,NtFreeVirtualMemory,	3_3_10001AE0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_10002F60 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,LdrGetProcedureAddress,NtReadVirtualMemory,NtFreeVirtualMemory,	3_3_10002F60
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_100015F0 NtQueryInformationProcess,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,	3_3_100015F0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_10003470 NtReadVirtualMemory,NtWriteVirtualMemory,NtClearEvent,NtSignalAndWaitForSingleObject,NtReadVirtualMemory,	3_3_10003470
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_10001FF0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtQueryInformationProcess,NtWriteVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtFreeVirtualMemory,	3_3_10001FF0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_10001880 NtFreeVirtualMemory,	3_3_10001880
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_10001E70 NtReadVirtualMemory,NtWriteVirtualMemory,NtSignalAndWaitForSingleObject,NtReadVirtualMemory,NtSignalAndWaitForSingleObject,NtClose,NtClose,	3_3_10001E70
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_10001A20 EntryPoint,NtClose,NtClose,	7_3_10001A20
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_10001920 NtAllocateVirtualMemory,NtWriteVirtualMemory,NtFreeVirtualMemory,	7_3_10001920
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_10003220 NtReadVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtClearEvent,NtSignalAndWaitForSingleObject,NtReadVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,	7_3_10003220
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_10001830 NtAllocateVirtualMemory,	7_3_10001830
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_10002CB0 MultiByteToWideChar,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,LdrLoadDll,NtReadVirtualMemory,NtFreeVirtualMemory,	7_3_10002CB0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_100018C0 NtProtectVirtualMemory,	7_3_100018C0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_100017D0 NtWriteVirtualMemory,	7_3_100017D0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_10001AE0 NtCreateEvent,NtCreateEvent,NtDuplicateObject,NtDuplicateObject,NtSignalAndWaitForSingleObject,NtClose,NtClearEvent,NtWriteVirtualMemory,NtClearEvent,NtClearEvent,NtResumeThread,NtSignalAndWaitForSingleObject,NtClose,NtClose,NtDuplicateObject,NtDuplicateObject,NtFreeVirtualMemory,NtFreeVirtualMemory,	7_3_10001AE0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_10002F60 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,LdrGetProcedureAddress,NtReadVirtualMemory,NtFreeVirtualMemory,	7_3_10002F60
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_100015F0 NtQueryInformationProcess,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,	7_3_100015F0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_10003470 NtReadVirtualMemory,NtWriteVirtualMemory,NtClearEvent,NtSignalAndWaitForSingleObject,NtReadVirtualMemory,	7_3_10003470
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_10001FF0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtQueryInformationProcess,NtWriteVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtFreeVirtualMemory,	7_3_10001FF0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_10001880 NtFreeVirtualMemory,	7_3_10001880
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_10001E70 NtReadVirtualMemory,NtWriteVirtualMemory,NtSignalAndWaitForSingleObject,NtReadVirtualMemory,NtSignalAndWaitForSingleObject,NtClose,NtClose,	7_3_10001E70

Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_10001AE0	3_3_10001AE0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_10001FF0	3_3_10001FF0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000140002900	6_2_0000000140002900
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000140012820	6_2_0000000140012820
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000140003860	6_2_0000000140003860
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000140014080	6_2_0000000140014080
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000014000E0C0	6_2_000000014000E0C0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000140013CD0	6_2_0000000140013CD0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000014000F8D0	6_2_000000014000F8D0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000014000E6D0	6_2_000000014000E6D0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000014000F310	6_2_000000014000F310
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000140015340	6_2_0000000140015340
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_00000001400179C0	6_2_00000001400179C0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_10001AE0	7_3_10001AE0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_10001FF0	7_3_10001FF0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0000000140002900	8_2_0000000140002900
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0000000140012820	8_2_0000000140012820
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0000000140003860	8_2_0000000140003860
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0000000140014080	8_2_0000000140014080
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_000000014000E0C0	8_2_000000014000E0C0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0000000140013CD0	8_2_0000000140013CD0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_000000014000F8D0	8_2_000000014000F8D0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_000000014000E6D0	8_2_000000014000E6D0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_000000014000F310	8_2_000000014000F310
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0000000140015340	8_2_0000000140015340
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00000001400179C0	8_2_00000001400179C0

Source: 55ryoipjfdr.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 6.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Trickbot_01365e46 reference_sample = 5c450d4be39caef1d9ec943f5dfeb6517047175fec166a52970c08cd1558e172, os = windows, severity = x86, creation_date = 2021-03-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Trickbot, fingerprint = 98505c3418945c10bf4f50a183aa49bdbc7c1c306e98132ae3d0fc36e216f191, id = 01365e46-c769-4c6e-913a-4d1e42948af2, last_modified = 2021-08-23
Source: 8.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Trickbot_01365e46 reference_sample = 5c450d4be39caef1d9ec943f5dfeb6517047175fec166a52970c08cd1558e172, os = windows, severity = x86, creation_date = 2021-03-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Trickbot, fingerprint = 98505c3418945c10bf4f50a183aa49bdbc7c1c306e98132ae3d0fc36e216f191, id = 01365e46-c769-4c6e-913a-4d1e42948af2, last_modified = 2021-08-23
Source: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Trickbot_01365e46 reference_sample = 5c450d4be39caef1d9ec943f5dfeb6517047175fec166a52970c08cd1558e172, os = windows, severity = x86, creation_date = 2021-03-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Trickbot, fingerprint = 98505c3418945c10bf4f50a183aa49bdbc7c1c306e98132ae3d0fc36e216f191, id = 01365e46-c769-4c6e-913a-4d1e42948af2, last_modified = 2021-08-23
Source: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Trickbot_01365e46 reference_sample = 5c450d4be39caef1d9ec943f5dfeb6517047175fec166a52970c08cd1558e172, os = windows, severity = x86, creation_date = 2021-03-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Trickbot, fingerprint = 98505c3418945c10bf4f50a183aa49bdbc7c1c306e98132ae3d0fc36e216f191, id = 01365e46-c769-4c6e-913a-4d1e42948af2, last_modified = 2021-08-23
Source: 00000008.00000002.2671214706.00000159F3602000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trickbot hash1 = 2153be5c6f73f4816d90809febf4122a7b065cbfddaa4e2bf5935277341af34c, author = JPCERT/CC Incident Response Group, description = detect TrickBot in memory, rule_usage = memory scan
Source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trickbot hash1 = 2153be5c6f73f4816d90809febf4122a7b065cbfddaa4e2bf5935277341af34c, author = JPCERT/CC Incident Response Group, description = detect TrickBot in memory, rule_usage = memory scan
Source: 00000003.00000002.2121898954.000000000057E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Trickbot_01365e46 reference_sample = 5c450d4be39caef1d9ec943f5dfeb6517047175fec166a52970c08cd1558e172, os = windows, severity = x86, creation_date = 2021-03-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Trickbot, fingerprint = 98505c3418945c10bf4f50a183aa49bdbc7c1c306e98132ae3d0fc36e216f191, id = 01365e46-c769-4c6e-913a-4d1e42948af2, last_modified = 2021-08-23
Source: 00000007.00000002.2462776816.0000000000768000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Trickbot_01365e46 reference_sample = 5c450d4be39caef1d9ec943f5dfeb6517047175fec166a52970c08cd1558e172, os = windows, severity = x86, creation_date = 2021-03-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Trickbot, fingerprint = 98505c3418945c10bf4f50a183aa49bdbc7c1c306e98132ae3d0fc36e216f191, id = 01365e46-c769-4c6e-913a-4d1e42948af2, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.bank.troj.evad.winEXE@8/4@1/22

Source: C:\Windows\System32\svchost.exe

Code function: 6_2_0000000140002900 SetCurrentDirectoryW,GetTickCount,srand,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,??2@YAPEAX_K@Z,HeapFree,HeapFree,_time64,_time64,Sleep,??2@YAPEAX_K@Z,HeapFree,_time64,??3@YAXPEAX@Z,HeapFree,Sleep,_time64,HeapFree,_time64,_wtoi,_wtoi,HeapFree,HeapFree,HeapFree,FreeLibrary,CoUninitialize,

6_2_0000000140002900

Source: C:\Users\user\Desktop\55ryoipjfdr.exe

Code function: 0_2_0040197E FindResourceW,LoadResource,LockResource,SizeofResource,

0_2_0040197E

Source: C:\Users\user\Desktop\55ryoipjfdr.exe

File created: C:\Users\user\AppData\Roaming\winapp

Jump to behavior

Source: C:\Windows\System32\svchost.exe	Mutant created: \BaseNamedObjects\Global\VLock
Source: C:\Windows\System32\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\VLock

Source: 55ryoipjfdr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\55ryoipjfdr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 55ryoipjfdr.exe	Virustotal: Detection: 90%
Source: 55ryoipjfdr.exe	ReversingLabs: Detection: 94%

Source: C:\Users\user\Desktop\55ryoipjfdr.exe

File read: C:\Users\user\Desktop\55ryoipjfdr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\55ryoipjfdr.exe "C:\Users\user\Desktop\55ryoipjfdr.exe"
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Process created: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Process created: C:\Windows\System32\svchost.exe svchost.exe -k netsvcs
Source: unknown	Process created: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Process created: C:\Windows\System32\svchost.exe svchost.exe -k netsvcs
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Process created: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Process created: C:\Windows\System32\svchost.exe svchost.exe -k netsvcs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Process created: C:\Windows\System32\svchost.exe svchost.exe -k netsvcs	Jump to behavior

Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Section loaded: gqrotepg.dll	Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Section loaded: remotepg.dll	Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Section loaded: regapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: gqrotepg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: remotepg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: regapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: gqrotepg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: remotepg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: regapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptprov.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior

Source: 55ryoipjfdr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Unpacked PE file: 0.2.55ryoipjfdr.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Unpacked PE file: 3.2.44qxnhoiecq.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Unpacked PE file: 7.2.44qxnhoiecq.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Unpacked PE file: 0.2.55ryoipjfdr.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Unpacked PE file: 3.2.44qxnhoiecq.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Unpacked PE file: 7.2.44qxnhoiecq.exe.400000.0.unpack

Source: C:\Users\user\Desktop\55ryoipjfdr.exe

Code function: 0_2_00401A00 GetCurrentProcess,LoadLibraryA,GetProcAddress,NtQueryInformationProcess,

0_2_00401A00

Persistence and Installation Behavior

Yara detected PersistenceViaHiddenTask

Source: Yara match	File source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2121935863.000001DD0F013000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5496, type: MEMORYSTR

Source: C:\Users\user\Desktop\55ryoipjfdr.exe

File created: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe

Jump to dropped file

Boot Survival

Yara detected PersistenceViaHiddenTask

Source: Yara match	File source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2121935863.000001DD0F013000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5496, type: MEMORYSTR

Source: C:\Windows\System32\svchost.exe

Code function: 6_2_000000014000C3F0 LoadLibraryExW,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

6_2_000000014000C3F0

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7AD304
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7AD6E4
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7AD504
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7ADA04
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7AD244
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7AD2E4
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7AD6C4
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7AD424
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7AE654
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7AD784
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7AD744
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7AD7E4
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7ADA44
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7AD3C4

Source: C:\Windows\System32\svchost.exe

Code function: HeapFree,GetAdaptersInfo,HeapFree,HeapFree,

8_2_000000014000A230

Source: C:\Windows\System32\svchost.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_6-8785

Source: C:\Windows\System32\svchost.exe

API coverage: 4.8 %

Source: C:\Windows\System32\svchost.exe

Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe

Code function: 8_2_000000014000D0F0 HeapFree,HeapFree,FindFirstFileW,HeapFree,HeapFree,FindNextFileW,GetLastError,

8_2_000000014000D0F0

Source: C:\Windows\System32\svchost.exe

Code function: 6_2_000000014000C0C0 GetProcAddress,GetSystemInfo,

6_2_000000014000C0C0

Source: svchost.exe, 00000008.00000002.2670748747.00000159F2A84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124@%SystemRoot%\System32\ci.dll,-100Hyper-V RAWDDDD
Source: svchost.exe, 00000008.00000002.2670682517.00000159F2A77000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000008.00000002.2670494241.00000159F2A2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@f

Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe

Code function: 3_3_10001020 LdrLoadDll,LdrLoadDll,

3_3_10001020

Source: C:\Users\user\Desktop\55ryoipjfdr.exe

Code function: 0_2_00401A00 GetCurrentProcess,LoadLibraryA,GetProcAddress,NtQueryInformationProcess,

0_2_00401A00

Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Code function: 0_2_0040116E mov eax, dword ptr fs:[00000030h]	0_2_0040116E
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Code function: 0_2_004C007E push dword ptr fs:[00000030h]	0_2_004C007E
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Code function: 0_2_004C03BB push dword ptr fs:[00000030h]	0_2_004C03BB
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Code function: 0_2_004D007E push dword ptr fs:[00000030h]	0_2_004D007E
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Code function: 0_2_004D03BB push dword ptr fs:[00000030h]	0_2_004D03BB
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_2_007B03BB push dword ptr fs:[00000030h]	3_2_007B03BB
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_2_007B007E push dword ptr fs:[00000030h]	3_2_007B007E
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_2_007C007E push dword ptr fs:[00000030h]	3_2_007C007E
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_2_007C03BB push dword ptr fs:[00000030h]	3_2_007C03BB
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_2_006B03BB push dword ptr fs:[00000030h]	7_2_006B03BB
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_2_006B007E push dword ptr fs:[00000030h]	7_2_006B007E
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_2_006C007E push dword ptr fs:[00000030h]	7_2_006C007E
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_2_006C03BB push dword ptr fs:[00000030h]	7_2_006C03BB

Source: C:\Users\user\Desktop\55ryoipjfdr.exe

Code function: 0_2_00402200 GetProcessHeap,RtlFreeHeap,

0_2_00402200

Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000140018520 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0000000140018520
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000140018168 SetUnhandledExceptionFilter,	6_2_0000000140018168
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0000000140018168 SetUnhandledExceptionFilter,	8_2_0000000140018168
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0000000140018520 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_0000000140018520

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EE20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EE30000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 140000000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 140000000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 140001000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 140019000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 140020000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 140021000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 140023000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF50000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF50000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F28A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F28B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 140000000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 140000000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 140001000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 140019000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 140020000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 140021000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 140023000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29D0000 protect: page execute and read and write	Jump to behavior

Hijacks the control flow in another process

Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: PID: 1984 base: 140020000 value: FF			Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: PID: 5496 base: 140020000 value: FF			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140000000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140000000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EE20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EE30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 7FF67E6D5080	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140000000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140001000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140001000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140020000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140020000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140021000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140021000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140023000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140023000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140024000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140024000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EE30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EE30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019180	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019190	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019198	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191A0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191A8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191B0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191B8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191C0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191C8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191D0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191D8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191E0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191E8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191F0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191F8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019200	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019208	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019210	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019218	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019220	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019228	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019230	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019238	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019240	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019248	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019258	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019260	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019268	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019270	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019278	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019018	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019020	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019028	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019030	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019038	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019040	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019048	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019050	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019058	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019060	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019068	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019070	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019080	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019088	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019090	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019098	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190A0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190A8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019288	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019290	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190B8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190C0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190C8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190D0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190D8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190E8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190F0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190F8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019100	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019108	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019110	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019118	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019120	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019128	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019130	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019138	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019140	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019150	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019158	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019160	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019168	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019170	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: B25F9B4010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0F003F30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0F003F48	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EE30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F28A0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F28B0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 7FF67E6D5080	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140000000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140001000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140001000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140020000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140020000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140021000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140021000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140023000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140023000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140024000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140024000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F28B0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F28B0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019180	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019190	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019198	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191A0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191A8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191B0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191B8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191C0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191C8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191D0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191D8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191E0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191E8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191F0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191F8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019200	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019208	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019210	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019218	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019220	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019228	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019230	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019238	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019240	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019248	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019258	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019260	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019268	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019270	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019278	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019018	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019020	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019028	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019030	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019038	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019040	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019048	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019050	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019058	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019060	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019068	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019070	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019080	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019088	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019090	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019098	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190A0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190A8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019288	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019290	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190B8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190C0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190C8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190D0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190D8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190E8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190F0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190F8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019100	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019108	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019110	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019118	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019120	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019128	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019130	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019138	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019140	Jump to behavior

Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Process created: C:\Windows\System32\svchost.exe svchost.exe -k netsvcs			Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Process created: C:\Windows\System32\svchost.exe svchost.exe -k netsvcs			Jump to behavior

Source: C:\Windows\System32\svchost.exe

Code function: 6_2_00000001400182FC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

6_2_00000001400182FC

Stealing of Sensitive Information

Yara detected Trickbot

Source: Yara match	File source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5496, type: MEMORYSTR

Remote Access Functionality

Yara detected Trickbot

Source: Yara match	File source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5496, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	411 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	411 Process Injection	LSASS Memory	211 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Software Packing	Security Account Manager	2 System Network Configuration Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
55ryoipjfdr.exe	90%	Virustotal		Browse
55ryoipjfdr.exe	95%	ReversingLabs	Win32.Ransomware.HydraCrypt
55ryoipjfdr.exe	100%	Avira	HEUR/AGEN.1315497
55ryoipjfdr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	100%	Avira	HEUR/AGEN.1315497
C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	95%	ReversingLabs	Win32.Ransomware.HydraCrypt

Source	Detection	Scanner	Label
https://194.87.99.210/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/	0%	Avira URL Cloud	safe
https://194.87.95.122/	0%	Avira URL Cloud	safe
https://194.87.99.210/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/u	0%	Avira URL Cloud	safe
https://194.87.95.122:443/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/	0%	Avira URL Cloud	safe
https://194.87.99.210:443/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/	0%	Avira URL Cloud	safe
https://194.87.95.122/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/	0%	Avira URL Cloud	safe
https://194.87.99.210/	0%	Avira URL Cloud	safe
https://194.87.95.122/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/H	0%	Avira URL Cloud	safe
https://194.87.99.210:443/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/pD	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.12.205	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://194.87.99.210/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://194.87.95.122/	svchost.exe, 00000008.00000002.2670888110.00000159F2AFA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://194.87.95.122:443/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/	svchost.exe, 00000008.00000002.2671346385.00000159F3706000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://194.87.99.210/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/u	svchost.exe, 00000008.00000002.2670682517.00000159F2A71000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://194.87.99.210:443/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/	svchost.exe, 00000008.00000002.2671346385.00000159F3706000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://194.87.95.122/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/	svchost.exe, 00000008.00000002.2670748747.00000159F2A84000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2671363412.00000159F3716000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://194.87.99.210/	svchost.exe, 00000008.00000002.2670888110.00000159F2AEA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2670888110.00000159F2AFA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://194.87.95.122/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/H	svchost.exe, 00000008.00000002.2670835827.00000159F2AB9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://194.87.99.210:443/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/pD	svchost.exe, 00000008.00000002.2670621225.00000159F2A57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
178.156.202.97	unknown	Romania	29119	SERVIHOSTING-ASAireNetworksES	true
194.87.99.62	unknown	Russian Federation	48347	MTW-ASRU	true
194.87.146.180	unknown	Russian Federation	48347	MTW-ASRU	true
194.87.111.6	unknown	Russian Federation	48347	MTW-ASRU	true
194.87.95.122	unknown	Russian Federation	48347	MTW-ASRU	true
147.135.196.128	unknown	France	16276	OVHFR	true
195.133.147.135	unknown	Russian Federation	48347	MTW-ASRU	true
195.133.197.187	unknown	Russian Federation	48347	MTW-ASRU	true
194.87.99.210	unknown	Russian Federation	48347	MTW-ASRU	true
185.15.245.102	unknown	Germany	24961	MYLOC-ASIPBackboneofmyLocmanagedITAGDE	true
185.15.245.103	unknown	Germany	24961	MYLOC-ASIPBackboneofmyLocmanagedITAGDE	true
194.87.95.120	unknown	Russian Federation	48347	MTW-ASRU	true
185.158.113.62	unknown	Russian Federation	44812	IPSERVER-RU-NETFiordRU	true
194.87.239.114	unknown	Russian Federation	48347	MTW-ASRU	true
195.133.48.80	unknown	Russian Federation	48347	MTW-ASRU	true
194.87.99.220	unknown	Russian Federation	48347	MTW-ASRU	true
169.239.129.42	unknown	Seychelles	61138	ZAPPIE-HOST-ASZappieHostGB	true
193.19.118.207	unknown	Russian Federation	44812	IPSERVER-RU-NETFiordRU	true
91.83.88.51	unknown	Hungary	12301	INVITECHHU	true
199.48.160.60	unknown	United States	19531	NODESDIRECTUS	true
94.242.224.218	unknown	Luxembourg	5577	ROOTLU	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592535
Start date and time:	2025-01-16 09:08:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	55ryoipjfdr.exe
Detection:	MAL
Classification:	mal100.bank.troj.evad.winEXE@8/4@1/22
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 82 Number of non-executed functions: 149
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
03:10:54	API Interceptor	1x Sleep call for process: svchost.exe modified
09:10:20	Task Scheduler	Run new task: services update path: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	RtU8kXPnKr.exe	Get hash	malicious	Quasar	Browse	api.ipify.org/
	jgbC220X2U.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=text
	xKvkNk9SXR.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	GD8c7ARn8q.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	8AbMCL2dxM.exe	Get hash	malicious	RCRU64, TrojanRansom	Browse	api.ipify.org/
	Simple2.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Ransomware Mallox.exe	Get hash	malicious	Targeted Ransomware	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	http://com-evaluate-fanpage30127.pages.dev/help/contact/671203900952887	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	https://cancelartransferenciaprogramadabdb.glitch.me/	Get hash	malicious	Unknown	Browse	104.26.12.205
	009.vbe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://adelademable.org/abujguyaleon.html	Get hash	malicious	Unknown	Browse	104.26.12.205
	0969686.vbe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	NEW SHIPPING DOCUMENTS.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	new order.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://savory-sweet-felidae-psrnd.glitch.me/	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	http://loginmicrosoftonline.al-mutaheda.com/expiration/notice/nRrRc/receiving@accel-inc.com	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	Employee_Salary_Update.docx	Get hash	malicious	Unknown	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	ORDER-202577008.lnk	Get hash	malicious	Unknown	Browse	104.21.96.1
	INQUIRY LIST 292.vbs	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	Contrarre.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	PI ITS15235 (2).doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	QT202515010642.JPG.PDF.vbs	Get hash	malicious	Unknown	Browse	104.17.151.117
	Personliche Nachricht fur Friedhelm Hanusch.pdf	Get hash	malicious	Unknown	Browse	104.18.94.41
	arm7.elf	Get hash	malicious	Unknown	Browse	1.12.192.222
	https://solve.xfzz.org/awjsx.captcha?u=20d5b468-46a4-4894-abf8-dabd03b71a69	Get hash	malicious	Unknown	Browse	172.67.215.98
	https://crm1.ascentismedia.com/MatrixCRM2/CommunicationsCentre/publicpages/LinkTrackers.aspx?link=https%3A%2F%2Fdenionquil.glitch.me%23Y3VzdG9tZXJzZXJ2aWNlQGRpYXRyb24uY29t&blastid=HaJwKgulsuhThrevQ-bg1A==&cc=k7ybaJOHC1q7mw3Z9UVdFw==&linkid=n6XO784zESaOPkbEOEOx87g4IWcBarkC2D1Tdl8CJciDFYwgGprfRd-XvUJO4gpJ&MID=gbzhqmttgi2dknbxgyza&CNO=&isCXComm=1	Get hash	malicious	Unknown	Browse	104.21.63.154
	https://vyralink.emlnk.com/lt.php?x=3DZy~GE7IaWZ5XV7zAA9W.Zs~X7UvAL0v~hgXXLLJ3ag6X8v-Uy.xuG-142imNf#user_email=fiona.zhang@bbraun.com&fname=Zhang&lname=Fiona	Get hash	malicious	Unknown	Browse	104.17.25.14
SERVIHOSTING-ASAireNetworksES	elitebotnet.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse	178.156.215.19
	4.elf	Get hash	malicious	Unknown	Browse	185.27.124.167
	mpsl.elf	Get hash	malicious	Mirai	Browse	89.44.65.127
	Fantazy.mpsl.elf	Get hash	malicious	Unknown	Browse	213.170.233.169
	armv7l.elf	Get hash	malicious	Mirai	Browse	5.83.49.109
	Hilix.ppc.elf	Get hash	malicious	Mirai	Browse	185.132.166.222
	Hilix.mpsl.elf	Get hash	malicious	Mirai	Browse	185.237.202.191
	Hilix.x86.elf	Get hash	malicious	Mirai	Browse	185.132.166.208
	nabm68k.elf	Get hash	malicious	Unknown	Browse	151.237.211.60
	splmpsl.elf	Get hash	malicious	Unknown	Browse	185.178.168.147
MTW-ASRU	botx.m68k.elf	Get hash	malicious	Mirai	Browse	195.133.157.170
	8N8j6QojHn.dll	Get hash	malicious	Unknown	Browse	195.133.1.117
	8N8j6QojHn.dll	Get hash	malicious	Unknown	Browse	195.133.1.117
	ET5.exe	Get hash	malicious	Unknown	Browse	45.141.101.45
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	193.124.107.252
	na.elf	Get hash	malicious	Unknown	Browse	193.124.64.114
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	193.124.64.126
	g082Q9DajU.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, PureLog Stealer	Browse	195.133.48.136
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine	Browse	195.133.48.136
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	195.133.48.136

Process:	C:\Users\user\Desktop\55ryoipjfdr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	396288
Entropy (8bit):	7.640880445990648
Encrypted:	false
SSDEEP:	6144:89FHululululululu4uOjzzUDjTgfH1okjroGWr2:89FHKKKKKKFzjzQJ5
MD5:	F0B9F50C6A247AC5CA9CC95135B83DCF
SHA1:	C1B276883DA10FA2BF1C37A3851781E5C702A601
SHA-256:	068AF8016C36FCE5CF1E1A4722C1DC0D6E02CB6ED58B61C2BA99A54D294CC274
SHA-512:	F02FCB14FFD9415281C4E2F916FB8A38E80BCD885A1EC6E07B73698C9878A8318E60092DA859818CDF49DE263F99F768684DA5ECEA669A9A2623A03A5D6DB1BB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O.U.....................F...................@..........................@......h...........................................x....... ...............................................................................$............................text............................... ..`.rdata..l5.......6.................. ..@.data....y... ...z..................@....rsrc... ............v.................@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\55ryoipjfdr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\winapp\client_id

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	100
Entropy (8bit):	2.9436287058372557
Encrypted:	false
SSDEEP:	3:jlkvoOPPlllMH/KUnYR8H3TRlg4fn:jevoO10HLY61lgOn
MD5:	5490E48281541B751FBD683F84E39A7E
SHA1:	0BF2CC08C8411227DB415756ABB00E223CF151BB
SHA-256:	37191C2B65ED5E5C914C289CF8E7FF8330BD249F5E6B1A88DAD24F2348886D3C
SHA-512:	38CFA10E4880F601EBC52758DD656D3CE7B830463C6B1A8BE72E9C80D598EDAF358EE8F0C677C32E476517834643160E10634C207D588B0E40573B53E48DC490
Malicious:	false
Reputation:	low
Preview:	5.3.0.9.7.8._.W.1.0.0.1.9.0.4.5...D.A.5.B.5.3.9.6.6.F.E.F.B.7.4.C.8.9.8.3.6.3.C.3.E.E.6.1.8.E.B.5...

C:\Users\user\AppData\Roaming\winapp\group_tag

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	10
Entropy (8bit):	1.7709505944546688
Encrypted:	false
SSDEEP:	3:zl/:zl/
MD5:	9A878743FE56E3481D8D00A4DD43D2CB
SHA1:	E52D81B1838C735F0563ED631EDB19E95F542679
SHA-256:	B4B7C9157A3698AF44CF82CCB87D2A2BE658B18BE04B8051611144A908857927
SHA-512:	D4863D6C23D404B9C493EF75D8ED0B31969EC6BD24EDD377BA93F9AA2B30AE498B1BBDFDA3B41C2BCDC7238F7FA23CBBF9A4F29A4E4948A85D128EC9988249C2
Malicious:	false
Reputation:	low
Preview:	m.a.c.1...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.640880445990648
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	55ryoipjfdr.exe
File size:	396'288 bytes
MD5:	f0b9f50c6a247ac5ca9cc95135b83dcf
SHA1:	c1b276883da10fa2bf1c37a3851781e5c702a601
SHA256:	068af8016c36fce5cf1e1a4722c1dc0d6e02cb6ed58b61c2ba99a54d294cc274
SHA512:	f02fcb14ffd9415281c4e2f916fb8a38e80bcd885a1ec6e07b73698c9878a8318e60092da859818cdf49de263f99f768684da5ecea669a9a2623a03a5d6db1bb
SSDEEP:	6144:89FHululululululu4uOjzzUDjTgfH1okjroGWr2:89FHKKKKKKFzjzQJ5
TLSH:	4F84D76A700ACB90DFC8D0FB2CD395F33A642363949B8E9C561D5F95BAE0DFC9960244
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O.U.....................F....................@..........................@......h......................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40a8d7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x55114F00 [Tue Mar 24 11:48:16 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	e24946fd3b548d18411ea3dc85666a69

Entrypoint Preview

Instruction
push ebp
push esp
pop ebp
lea esp, dword ptr [ebp-2Ch]
lea ecx, dword ptr [00000049h]
lea eax, dword ptr [00000008h]
inc eax
push eax
push 0041297Dh
push 0041296Bh
call dword ptr [0040C808h]
push 00412986h
lea eax, dword ptr [FFFFFFFFh]
inc eax
push eax
lea eax, dword ptr [000FFFFFh]
inc eax
push eax
call dword ptr [0040C7D8h]
test eax, eax
jne 00007F80593139BFh
push 00412986h
lea eax, dword ptr [FFFFFFFFh]
inc eax
push eax
lea eax, dword ptr [000FFFFFh]
inc eax
push eax
call dword ptr [0040C7D8h]
cmp eax, 00000000h
jne 00007F805931399Bh
lea eax, dword ptr [00000008h]
inc eax
push eax
push 0041297Dh
push 0041296Bh
call dword ptr [0040C808h]
push 00412986h
lea eax, dword ptr [FFFFFFFFh]
inc eax
push eax
lea eax, dword ptr [000FFFFFh]
inc eax
push eax
call dword ptr [0040C7D8h]
cmp eax, 00000000h
jne 00007F805931395Fh
push 0040738Fh
ret
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
lea eax, dword ptr [00000008h]
inc eax
push eax
push 0041297Dh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe000	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0x49520	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf6d0	0x1e9c	.rdata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1204	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc71c	0x124	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc0c8	0xc200	652b75188d378644e33c0f240ba7cdd0	False	0.14410840850515463	data	4.639698222820729	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xe000	0x356c	0x3600	5887208e6d7eee01aed0c9730c63b618	False	0.5432581018518519	data	5.543532077797315	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x12000	0x798f	0x7a00	18c3ed8d7ca1a47b64c23553968c7c51	False	0.1443391393442623	data	7.640824225225697	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1a000	0x49520	0x49600	1e9722598152d22e71d517b382fa6c49	False	0.8315521188245315	data	7.813923857717711	IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_DIALOG	0x1a120	0x3d200	data	English	United States	0.9962215618609407
RT_DIALOG	0x57320	0x4000	data	English	United States	0.00738525390625
RT_DIALOG	0x5b320	0x4000	data	English	United States	0.00738525390625
RT_DIALOG	0x5f320	0x4000	data	English	United States	0.00738525390625
RT_DIALOG	0x63320	0x200	data	English	United States	0.12109375

Imports

DLL	Import
advapi32.dll	RegEnumKeyW, OpenEventLogW, ClearEventLogA, LogonUserW, InitializeAcl, CryptSignHashW, RegOpenKeyA, ControlService, RegReplaceKeyA, RegSaveKeyA, RegCreateKeyExA, RegUnLoadKeyA
authz.dll	AuthzAddSidsToContext, AuthzInitializeContextFromSid
shlwapi.dll	UrlIsNoHistoryW, PathIsRootW, UrlGetLocationW, UrlCombineW, PathCommonPrefixA, UrlIsOpaqueW, PathCompactPathW, PathAppendA, PathCombineA, UrlCompareW, PathIsURLW, UrlIsA, UrlHashW, UrlGetPartW
wtsapi32.dll	WTSFreeMemory, WTSSetSessionInformationW, WTSVirtualChannelRead, WTSWaitSystemEvent, WTSRegisterSessionNotification, WTSQueryUserToken, WTSVirtualChannelPurgeInput, WTSQuerySessionInformationA, WTSSetUserConfigW, WTSEnumerateSessionsW, WTSEnumerateServersA
kernel32.dll	WaitForSingleObject, CreateJobObjectW, GetProcAddress, GetStringTypeW, OpenJobObjectW, InitializeCriticalSection, GetCommandLineW, MoveFileA, GetModuleHandleA, GetTempPathA, ReadConsoleA, GetProfileSectionA, GetSystemDirectoryA, CreateMailslotA, CreateFileW, GetLogicalDriveStringsA, GetModuleFileNameW, UnmapViewOfFile, GetDateFormatA, GetVersion, LoadLibraryExA, GetExpandedNameA, lstrcmpiA, DeleteFileW, SearchPathW, GetTickCount, GetFileAttributesW, MoveFileExA, GetConsoleAliasA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-16T09:10:55.439247+0100	2838349	ETPRO MALWARE Win32/TrickBot CnC Initial Checkin	1	192.168.2.8	49713	194.87.99.210	443	TCP
2025-01-16T09:10:56.730422+0100	2838349	ETPRO MALWARE Win32/TrickBot CnC Initial Checkin	1	192.168.2.8	49714	194.87.99.210	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 09:10:53.645608902 CET	49712	80	192.168.2.8	104.26.12.205
Jan 16, 2025 09:10:53.650430918 CET	80	49712	104.26.12.205	192.168.2.8
Jan 16, 2025 09:10:53.650510073 CET	49712	80	192.168.2.8	104.26.12.205
Jan 16, 2025 09:10:53.650801897 CET	49712	80	192.168.2.8	104.26.12.205
Jan 16, 2025 09:10:53.655590057 CET	80	49712	104.26.12.205	192.168.2.8
Jan 16, 2025 09:10:54.159845114 CET	80	49712	104.26.12.205	192.168.2.8
Jan 16, 2025 09:10:54.209256887 CET	49712	80	192.168.2.8	104.26.12.205
Jan 16, 2025 09:10:54.265755892 CET	49713	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:54.265813112 CET	443	49713	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:54.266088963 CET	49713	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:54.267465115 CET	49713	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:54.267484903 CET	443	49713	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:55.102375031 CET	443	49713	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:55.102447987 CET	49713	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:55.106292963 CET	49713	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:55.106322050 CET	443	49713	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:55.106549025 CET	443	49713	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:55.136301994 CET	49713	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:55.179358959 CET	443	49713	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:55.439097881 CET	443	49713	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:55.439146042 CET	443	49713	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:55.439194918 CET	49713	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:55.553175926 CET	49713	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:55.553255081 CET	443	49713	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:55.554389954 CET	49714	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:55.554425955 CET	443	49714	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:55.554774046 CET	49714	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:55.554894924 CET	49714	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:55.554903984 CET	443	49714	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:56.393158913 CET	443	49714	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:56.394299984 CET	49714	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:56.394324064 CET	443	49714	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:56.394807100 CET	49714	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:56.394812107 CET	443	49714	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:56.730360985 CET	443	49714	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:56.730442047 CET	443	49714	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:56.730519056 CET	49714	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:56.731654882 CET	49714	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:56.731667042 CET	443	49714	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:56.732568026 CET	49715	443	192.168.2.8	194.87.95.122
Jan 16, 2025 09:10:56.732675076 CET	443	49715	194.87.95.122	192.168.2.8
Jan 16, 2025 09:10:56.732928991 CET	49715	443	192.168.2.8	194.87.95.122
Jan 16, 2025 09:10:56.733190060 CET	49715	443	192.168.2.8	194.87.95.122
Jan 16, 2025 09:10:56.733226061 CET	443	49715	194.87.95.122	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 09:10:53.632669926 CET	56028	53	192.168.2.8	1.1.1.1
Jan 16, 2025 09:10:53.640288115 CET	53	56028	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 16, 2025 09:10:53.632669926 CET	192.168.2.8	1.1.1.1	0x9978	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 16, 2025 09:10:53.640288115 CET	1.1.1.1	192.168.2.8	0x9978	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:10:53.640288115 CET	1.1.1.1	192.168.2.8	0x9978	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:10:53.640288115 CET	1.1.1.1	192.168.2.8	0x9978	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

194.87.99.210

api.ipify.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49712	104.26.12.205	80	5496	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 09:10:53.650801897 CET	187	OUT	GET / HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 Host: api.ipify.org
Jan 16, 2025 09:10:54.159845114 CET	430	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 08:10:54 GMT Content-Type: text/plain Content-Length: 12 Connection: keep-alive Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 902ca1b808646fc5-IAD server-timing: cfL4;desc="?proto=TCP&rtt=7051&min_rtt=7051&rtt_var=3525&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=187&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49713	194.87.99.210	443	5496	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 08:10:55 UTC	248	OUT	GET /mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/ HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 Host: 194.87.99.210
2025-01-16 08:10:55 UTC	159	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 (Ubuntu) Date: Thu, 16 Jan 2025 08:10:55 GMT Content-Type: text/html Content-Length: 564 Connection: close
2025-01-16 08:10:55 UTC	564	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49714	194.87.99.210	443	5496	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 08:10:56 UTC	248	OUT	GET /mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/ HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 Host: 194.87.99.210
2025-01-16 08:10:56 UTC	159	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 (Ubuntu) Date: Thu, 16 Jan 2025 08:10:56 GMT Content-Type: text/html Content-Length: 564 Connection: close
2025-01-16 08:10:56 UTC	564	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable

Target ID:	0
Start time:	03:09:09
Start date:	16/01/2025
Path:	C:\Users\user\Desktop\55ryoipjfdr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\55ryoipjfdr.exe"
Imagebase:	0x400000
File size:	396'288 bytes
MD5 hash:	F0B9F50C6A247AC5CA9CC95135B83DCF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:09:46
Start date:	16/01/2025
Path:	C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe
Imagebase:	0x400000
File size:	396'288 bytes
MD5 hash:	F0B9F50C6A247AC5CA9CC95135B83DCF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Trickbot_01365e46, Description: unknown, Source: 00000003.00000002.2121898954.000000000057E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 95%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:10:18
Start date:	16/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	svchost.exe -k netsvcs
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Trickbot_01365e46, Description: unknown, Source: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_PersistenceViaHiddenTask, Description: Yara detected PersistenceViaHiddenTask, Source: 00000006.00000002.2121935863.000001DD0F013000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:10:21
Start date:	16/01/2025
Path:	C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe
Imagebase:	0x400000
File size:	396'288 bytes
MD5 hash:	F0B9F50C6A247AC5CA9CC95135B83DCF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Trickbot_01365e46, Description: unknown, Source: 00000007.00000002.2462776816.0000000000768000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:10:52
Start date:	16/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	svchost.exe -k netsvcs
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Trickbot_01365e46, Description: unknown, Source: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Author: unknown Rule: Trickbot, Description: detect TrickBot in memory, Source: 00000008.00000002.2671214706.00000159F3602000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_PersistenceViaHiddenTask, Description: Yara detected PersistenceViaHiddenTask, Source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Trickbot_1, Description: Yara detected Trickbot, Source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Trickbot, Description: detect TrickBot in memory, Source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 55ryoipjfdr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Trickbot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe

C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\winapp\client_id

C:\Users\user\AppData\Roaming\winapp\group_tag

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
55ryoipjfdr.exe